Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1975
Views
8
Helpful
4
Replies

DNS and NAT problem

jmprats
Level 4
Level 4

‎06-21-2010 01:33 AM - edited ‎03-11-2019 11:01 AM

Hello, I have a  problem with the DNS. Three zones: outside, dmz, inside. Users of a DMZ-VLAN are using an  external DNS server, but they must be able to access the internal mail server (inside). When trying to resolve the mail server IP, the DNS  gives them the public IP, but they have to convert it to an internal IP to access inside server.

How can I resolve that?

Thanks

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-21-2010 03:33 AM

You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.

Example:

Mail server private ip: 10.0.0.8

Mail server NATed (public ip) 200.0.0.8

static (inside,outside) 200.0.0.8 10.0.0.8 netmask 255.255.255.255 dns

Before testing it again, please make sure you flush the dns entry on the dmz host.

Hope that helps.

jmprats
Level 4
Level 4
In response to Jennifer Halim

‎06-21-2010 03:43 AM

Hi, but my users are not in inside, they are external wireless users and they are in dmz, dns server is outside and email server is inside.

I think this "static (inside,outside)" command is nothing for a dmz user, or not?

Thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jmprats

‎06-21-2010 04:22 AM

You advised that external wireless users are connected to the DMZ and dns server is on the outside. So will wireless users resolve dns using the outside dns server, and the dns request and reply actually goes through the ASA from DMZ to outside interface? If the dns resolution goes through the ASA firewall, then my solution previously is the correct solution, exactly the same as the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Based on the sample configuration:

- Your internal mail server would be the www server in DMZ.

- Both dns server for sample config and your config are on the outside of the ASA.

- Both users, your wireless users, and sample config inside users are on a different interface than the actual server.

If the DNS resolution does not actually pass through the ASA, then you would need to configure the following:

static (dmz,inside) 10.0.0.8 200.0.0.8 netmask 255.255.255.255

Hope that helps.

jmprats
Level 4
Level 4
In response to Jennifer Halim

‎06-21-2010 05:22 AM

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card