NAT Problem from inside to inside with DNS entry (ASA)

Unanswered Question
Jul 6th, 2010
User Badges:

Hi Guy's

I have a problem with the solution for a Web-Portal on my ASA5520. I'd like to connect to a Web-Portal with the Public ip address. That sounds easy.

The Follow are the Situation:

1. The Web-Portal-Server is in the same Network as the Client.

2. The Connection have to open with the public DNS entry

3. the internal DNS Server have to be untouched.

example: has the publich ip

the webserver has the internal ip

a exsist NAT-Rule ist installed like : static (INSIDE,OUTSIDE) tcp https https netmask  dns

Now I want from my Network  connect to my web-port with the DNS-Entry

What i have to do?

Thx for Replies

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jennifer Halim Tue, 07/06/2010 - 03:22
User Badges:
  • Cisco Employee,

With the existing "dns" keyword configured on the static statement, as well as dns inspection enabled on the ASA global_policy, plus if the DNS request and reply actually pass through the ASA, then your internal host should be receiving the private ip address of the web server when performing DNS resolution.

The above statement is true if your internal host is using external DNS server for the resolution of your web server:, and the DNS resolution goes through the ASA.

Basically what will happen is internal host performs DNS resolution, DNS request goes outbound towards the external DNS server. External DNS server will reply with the public ip address, and once the DNS reply passes through the ASA, ASA will inspect the DNS reply and modified the reply from the web server public ip address to private ip address. Once the internal host receives the DNS reply, the entry resolves to the private ip address.

Pls let me know if you are not using the external DNS server to resolve the DNS, and the DNS request/reply does not go through the ASA.

Patrik Eberle Tue, 07/06/2010 - 04:34
User Badges:

should be possible, that the ASA have a DNS-IP address for the Checks ? It's sounds the only one reason that this service doesn't work.

I have installed this this dns Feature.

Jennifer Halim Tue, 07/06/2010 - 04:36
User Badges:
  • Cisco Employee,

Do you have "inspect dns" configured?

Are you using external dns server to resolve the web server dns?

Patrik Eberle Tue, 07/06/2010 - 04:42
User Badges:

The Clients use a Internal DNS and the Firewall has not a DNS included yet.

The DNS Inspection is already included in the config.

Jennifer Halim Tue, 07/06/2010 - 04:48
User Badges:
  • Cisco Employee,

As advised earlier, the solution only works if the client uses external dns server and if the dns resolution goes through the ASA.

In your case, since the user is using the internal dns, I assume that the internal dns resolves the web server to the public ip address?

If that is the case, then you would need to configure the following as you can not make use of dns inspection feature in ASA:

same-security-traffic permit intra-interface

static (INSIDE,INSIDE) tcp https https netmask

Further to that, if you have "nat (INSIDE) 1 0 0" command, you would need to add "global (INSIDE) 1 interface" as well

WStoffel1 Thu, 11/29/2012 - 12:18
User Badges:

Yet another NAT issue I had recently and this was the exact fix.  Thanks Jennifer!


This Discussion