Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
4
Replies

Perform DNS Doctoring with the static cmd and 3 NAT Intf

ctivig
Level 1
Level 1

‎08-19-2007 10:02 AM - edited ‎03-11-2019 03:59 AM

I have the same scemario as in the example mentioned by the link below, but it doesnt work. I have opend a case with Cisco, got to tier 3 with no resolution ...

I basically need to access from inside my DMZ servers on both the public and the dmz IPs. Cannot make it work. I can only make it work for one of the IP (either the dmz or the public IPs).

Anyone who ran into this and could share the fix ?

Much appreciated !

Constantin

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Labels:
0 Helpful
4 Replies 4

srue
Level 7
Level 7

‎08-19-2007 12:49 PM

can you tell us what you've tried, and maybe post any configs that you've tried? just to be sure, dns inspection is turned on?

0 Helpful

ctivig
Level 1
Level 1
In response to srue

‎08-20-2007 06:03 AM

Well, I have tried destination NAT and it didnt work, then I have tried DNS doctoring, same.

And then I have tried both, no luck.

My config is similar to what the example shows (just the IPs are different).

As for the destination NAT I have tried multiple combinations (dmz-inside, outside-dmz).

(And of course I have issued the clear-xlate commnand after each change :-))

0 Helpful

acomiskey
Level 10
Level 10
In response to ctivig

‎08-20-2007 07:29 AM

Destination nat does work.

dmz ip = 192.168.1.1

public ip = 1.1.1.1

static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

This will allow you to hit the server from the inside with 1.1.1.1 only. You will not be able to use one or the other or both at the same time.

0 Helpful

ctivig
Level 1
Level 1
In response to acomiskey

‎08-20-2007 07:42 AM

Thank you.

This is what I have experienced as well.

The thing is that on the PIX 6.3.5 I am able to hit both the public and the dmz IPs at the same time (alias command).

When we "upgraded" to the asa 7.x, the alias command stopped working and we ended up with issue described.

The network has now been put back on the PIX to allow the business to work but I will have to find a solution soon.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card