ACE module dns rewrite

Unanswered Question

Hi all,

We're using the ACE with static NAT. We have three interfaces. One outside and two inside. On one of the insides we have a FTP server and on the other inside we have the client. The client needs to connect to the FTP server but he wants to connect on the public DNS name.

A classic example of DNS doctoring which can be solved by the ASA by doing doing:

static (bla,bla) blablabla dns

Now I've read that the ACE module does this automatically with dns inspection enabled:

("Translates the DNS A-record based on the NAT configuration")

However I can't get it to work.

I have my inspection policy-map attached to all three interfaces and I am sure my DNS request goes through the ACE.

I see hits on the DNS inspection policy but the dns answer I get still has the public IP listed and not the internal one.

I hope my story is clear...

Anyone got a clue on how to figure this out? Anyone got a similar setup working?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 04/27/2009 - 06:31

Where is the dns server ?

Inside or outside ?

Our Inspection has no knowledge of inside/outside. It only performs nating from local to global.

So if the answer is already the global address, we don't do anything.

But I assume ACE is the default gateway for the client, so the traffic should still hit ACE which will be able to nat the traffic if you have the nating policy on the inside interface as well.



This Discussion