DMZ = 172.16.1.0/24
Screened Subnet (behind ASA) = 172.16.3.0/24
I have numerous static NAT entries for HTTPS traffic to the 3.0 network, advertised on the outside as a 1.0 address.
The 1.0 network is a directly connected network between my border and the firewall.
We attempted to move one of our DNS servers behind the ASA to a 3.0 address, and continue to advertise it to the outside as a 1.0 address.
For some reason, this did not work. But it does work for TCP traffic. As soon as I put in a static route in the border router, forcing that IP to the firewall, traffic to the DNS server started flowing.
Is this because of the connectionless nature of UDP?