Perform DNS Doctoring with the static cmd and 3 NAT Intf

Unanswered Question
Aug 19th, 2007

I have the same scemario as in the example mentioned by the link below, but it doesnt work. I have opend a case with Cisco, got to tier 3 with no resolution ...

I basically need to access from inside my DMZ servers on both the public and the dmz IPs. Cannot make it work. I can only make it work for one of the IP (either the dmz or the public IPs).

Anyone who ran into this and could share the fix ?

Much appreciated !


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Sun, 08/19/2007 - 12:49

can you tell us what you've tried, and maybe post any configs that you've tried? just to be sure, dns inspection is turned on?

ctivig Mon, 08/20/2007 - 06:03

Well, I have tried destination NAT and it didnt work, then I have tried DNS doctoring, same.

And then I have tried both, no luck.

My config is similar to what the example shows (just the IPs are different).

As for the destination NAT I have tried multiple combinations (dmz-inside, outside-dmz).

(And of course I have issued the clear-xlate commnand after each change :-))

acomiskey Mon, 08/20/2007 - 07:29

Destination nat does work.

dmz ip =

public ip =

static (dmz,inside) netmask

This will allow you to hit the server from the inside with only. You will not be able to use one or the other or both at the same time.

ctivig Mon, 08/20/2007 - 07:42

Thank you.

This is what I have experienced as well.

The thing is that on the PIX 6.3.5 I am able to hit both the public and the dmz IPs at the same time (alias command).

When we "upgraded" to the asa 7.x, the alias command stopped working and we ended up with issue described.

The network has now been put back on the PIX to allow the business to work but I will have to find a solution soon.


This Discussion