06-21-2010 01:33 AM - edited 03-11-2019 11:01 AM
Hello, I have a problem with the DNS. Three zones: outside, dmz, inside. Users of a DMZ-VLAN are using an external DNS server, but they must be able to access the internal mail server (inside). When trying to resolve the mail server IP, the DNS gives them the public IP, but they have to convert it to an internal IP to access inside server.
How can I resolve that?
Thanks
06-21-2010 03:33 AM
You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.
Example:
Mail server private ip: 10.0.0.8
Mail server NATed (public ip) 200.0.0.8
static (inside,outside) 200.0.0.8 10.0.0.8 netmask 255.255.255.255 dns
Before testing it again, please make sure you flush the dns entry on the dmz host.
Hope that helps.
06-21-2010 03:43 AM
Hi, but my users are not in inside, they are external wireless users and they are in dmz, dns server is outside and email server is inside.
I think this "static (inside,outside)" command is nothing for a dmz user, or not?
Thanks
06-21-2010 04:22 AM
You advised that external wireless users are connected to the DMZ and dns server is on the outside. So will wireless users resolve dns using the outside dns server, and the dns request and reply actually goes through the ASA from DMZ to outside interface? If the dns resolution goes through the ASA firewall, then my solution previously is the correct solution, exactly the same as the following sample configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Based on the sample configuration:
- Your internal mail server would be the www server in DMZ.
- Both dns server for sample config and your config are on the outside of the ASA.
- Both users, your wireless users, and sample config inside users are on a different interface than the actual server.
If the DNS resolution does not actually pass through the ASA, then you would need to configure the following:
static (dmz,inside) 10.0.0.8 200.0.0.8 netmask 255.255.255.255
Hope that helps.
06-21-2010 05:22 AM
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide