×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Perform DNS Doctoring with the static cmd and 3 NAT Intf

Unanswered Question
Aug 19th, 2007
User Badges:

I have the same scemario as in the example mentioned by the link below, but it doesnt work. I have opend a case with Cisco, got to tier 3 with no resolution ...


I basically need to access from inside my DMZ servers on both the public and the dmz IPs. Cannot make it work. I can only make it work for one of the IP (either the dmz or the public IPs).


Anyone who ran into this and could share the fix ?


Much appreciated !


Constantin



http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Sun, 08/19/2007 - 12:49
User Badges:
  • Blue, 1500 points or more

can you tell us what you've tried, and maybe post any configs that you've tried? just to be sure, dns inspection is turned on?

ctivig Mon, 08/20/2007 - 06:03
User Badges:

Well, I have tried destination NAT and it didnt work, then I have tried DNS doctoring, same.

And then I have tried both, no luck.

My config is similar to what the example shows (just the IPs are different).

As for the destination NAT I have tried multiple combinations (dmz-inside, outside-dmz).

(And of course I have issued the clear-xlate commnand after each change :-))



acomiskey Mon, 08/20/2007 - 07:29
User Badges:
  • Green, 3000 points or more

Destination nat does work.


dmz ip = 192.168.1.1

public ip = 1.1.1.1


static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255


This will allow you to hit the server from the inside with 1.1.1.1 only. You will not be able to use one or the other or both at the same time.

ctivig Mon, 08/20/2007 - 07:42
User Badges:

Thank you.

This is what I have experienced as well.

The thing is that on the PIX 6.3.5 I am able to hit both the public and the dmz IPs at the same time (alias command).

When we "upgraded" to the asa 7.x, the alias command stopped working and we ended up with issue described.


The network has now been put back on the PIX to allow the business to work but I will have to find a solution soon.

Actions

This Discussion