UDP and NAT problem

Unanswered Question
Jun 17th, 2009


Screened Subnet (behind ASA) =

I have numerous static NAT entries for HTTPS traffic to the 3.0 network, advertised on the outside as a 1.0 address.

The 1.0 network is a directly connected network between my border and the firewall.

We attempted to move one of our DNS servers behind the ASA to a 3.0 address, and continue to advertise it to the outside as a 1.0 address.

For some reason, this did not work. But it does work for TCP traffic. As soon as I put in a static route in the border router, forcing that IP to the firewall, traffic to the DNS server started flowing.

Is this because of the connectionless nature of UDP?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
bwilmoth Tue, 06/23/2009 - 06:24

Dynamic allocation requires state information that is not always available. Although TCP state information can be easily tracked and controlled, UDP traffic offers no mechanism at the packet header level to determine whether a packet is part of an ongoing conversation or if it is an isolated event. In such cases, when NAT systems have no additional security support, they need to guess how long a particular translation should be maintained. Cisco IOS Firewall provides functionality to set idle time on UDP sessions to limit such cases.

svaish Tue, 06/23/2009 - 06:27

Try using DNS keyword with the static command , DNS keyword helps firewall to track DNC request


This Discussion