DNS Issue due to translation

Unanswered Question
Apr 6th, 2010

Hey Everyone,

I am facing a DNS issue due to NAT, i think dns doctoring can solve this but the scenario is a little different so not sure of the exact solution.

Attached is the network diagram. Exchange Server , DNS and Domain Controller are all located on a single physical server which has an IP 172.20.10.100. Both the server and the intenal users reside on the inside subnet. In the DNS the name-to-IP mapping is for example srv.abc.com -> 172.20.10.100. The Inside users have no connectivity issue.

The server is translated to 192.168.100.20 when accessing the outside network, this is a static translation

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255

The Branch users when they access they try to resolve srv.abc.com get the mapping to 172.20.10.100 which does not allow communication using name as Branch users cannot access 172.20.10.100 but they can access 192.168.100.20.

What needs to be configured on the ASA to resolve this issue ?

will this work

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask  255.255.255.255 dns

??

Thanks

Zeeshan

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 04/06/2010 - 04:07

Yes, dns doctoring will work as long as the branch user uses 192.168.100.20 as its dns server for dns resolution.

Muhammad Zeesha... Tue, 04/06/2010 - 06:07


halijenn

It didn't work. I specified the command using dns keyword and flushed the DNS on the Branch host, the host still resolves the name of the server to 172.20.10.100. Is there any other thing which needs to be done.

Thanks

Zeeshan Sanaullah

Jennifer Halim Tue, 04/06/2010 - 06:17

Is the user using the public ip address of the HQ dns server for dns resolution? It will only work if the dns request passes through the HQ ASA where the static with "dns" keyword is configured, and the reply goes back through the ASA as well.

Can you please confirm what DNS server is used at your branch host?

Muhammad Zeesha... Tue, 04/06/2010 - 06:37

The Branch user has 192.168.100.20 configured as the DNS Server. Yes the DNS request passes through the ASA.

Muhammad Zeesha... Tue, 04/06/2010 - 23:31

DNS Inspection is on ... as shown below

class-map inspection_default

match default-inspection-traffic

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect esmtp
  inspect dns
  inspect http

Kureli Sankar Wed, 04/07/2010 - 05:00

Remove the "dns" keyword from the static. This should resolve the issue.

The inside hosts are getting resolution from the inside DNS and they are wroking fine.

The outside folks do not need to get the inside IP upon resolving so, remove the dns keyword from the static.

-KS

Muhammad Zeesha... Wed, 04/07/2010 - 08:21

@kusankar

The actual configuration is without dns keyword. I added dns keyword to see if the issue resolves but it did not.

Outside hosts when they resolve srv.abc.com they get 172.20.10.100 but they should get 192.168.100.20 after dns keyword is entered.

@halijenn

The ASA OS version is 7.07  ... can it be software issue ???

Thanks

Zeeshan

Kureli Sankar Wed, 04/07/2010 - 08:30

Can you temporarily just remove dns inspection and see if this works. If it does then we can exclude dns inspection for this remote network and add dns inspection for all other traffic.

-KS

Actions

This Discussion