DNS and NAT problem

Unanswered Question
Jun 21st, 2010

Hello, I have a  problem with the DNS. Three zones: outside, dmz, inside. Users of a DMZ-VLAN are using an  external DNS server, but they must be able to access the internal mail server (inside). When trying to resolve the mail server IP, the DNS  gives them the public IP, but they have to convert it to an internal IP to access inside server.

How can I resolve that?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Jennifer Halim Mon, 06/21/2010 - 03:33

You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.


Mail server private ip:

Mail server NATed (public ip)

static (inside,outside) netmask dns

Before testing it again, please make sure you flush the dns entry on the dmz host.

Hope that helps.

jmprats Mon, 06/21/2010 - 03:43

Hi, but my users are not in inside, they are external wireless users and they are in dmz, dns server is outside and email server is inside.

I think this "static (inside,outside)" command is nothing for a dmz user, or not?


Jennifer Halim Mon, 06/21/2010 - 04:22

You advised that external wireless users are connected to the DMZ and dns server is on the outside. So will wireless users resolve dns using the outside dns server, and the dns request and reply actually goes through the ASA from DMZ to outside interface? If the dns resolution goes through the ASA firewall, then my solution previously is the correct solution, exactly the same as the following sample configuration:


Based on the sample configuration:

- Your internal mail server would be the www server in DMZ.

- Both dns server for sample config and your config are on the outside of the ASA.

- Both users, your wireless users, and sample config inside users are on a different interface than the actual server.

If the DNS resolution does not actually pass through the ASA, then you would need to configure the following:

static (dmz,inside) netmask

Hope that helps.


This Discussion

Related Content