NAT Problem from inside to inside with DNS entry (ASA)

Unanswered Question
Jul 6th, 2010

Hi Guy's

I have a problem with the solution for a Web-Portal on my ASA5520. I'd like to connect to a Web-Portal with the Public ip address. That sounds easy.

The Follow are the Situation:

1. The Web-Portal-Server is in the same Network as the Client.

2. The Connection have to open with the public DNS entry

3. the internal DNS Server have to be untouched.

example:

web.portal.com has the publich ip 1.1.1.1

the webserver has the internal ip 172.16.24.70

a exsist NAT-Rule ist installed like : static (INSIDE,OUTSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask 255.255.255.255  dns

Now I want from my Network 172.16.24.0/24  connect to my web-port with the DNS-Entry web.portal.com

What i have to do?

Thx for Replies

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jennifer Halim Tue, 07/06/2010 - 03:22

With the existing "dns" keyword configured on the static statement, as well as dns inspection enabled on the ASA global_policy, plus if the DNS request and reply actually pass through the ASA, then your internal host should be receiving the private ip address of the web server when performing DNS resolution.

The above statement is true if your internal host is using external DNS server for the resolution of your web server: web.portal.com, and the DNS resolution goes through the ASA.

Basically what will happen is internal host performs DNS resolution, DNS request goes outbound towards the external DNS server. External DNS server will reply with the public ip address, and once the DNS reply passes through the ASA, ASA will inspect the DNS reply and modified the reply from the web server public ip address to private ip address. Once the internal host receives the DNS reply, the web.portal.com entry resolves to the private ip address.

Pls let me know if you are not using the external DNS server to resolve the web.portal.com DNS, and the DNS request/reply does not go through the ASA.

Patrik Eberle Tue, 07/06/2010 - 04:34

should be possible, that the ASA have a DNS-IP address for the Checks ? It's sounds the only one reason that this service doesn't work.

I have installed this this dns Feature.

Jennifer Halim Tue, 07/06/2010 - 04:36

Do you have "inspect dns" configured?

Are you using external dns server to resolve the web server dns?

Patrik Eberle Tue, 07/06/2010 - 04:42

The Clients use a Internal DNS and the Firewall has not a DNS included yet.

The DNS Inspection is already included in the config.

Jennifer Halim Tue, 07/06/2010 - 04:48

As advised earlier, the solution only works if the client uses external dns server and if the dns resolution goes through the ASA.

In your case, since the user is using the internal dns, I assume that the internal dns resolves the web server to the public ip address?

If that is the case, then you would need to configure the following as you can not make use of dns inspection feature in ASA:

same-security-traffic permit intra-interface

static (INSIDE,INSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask  255.255.255.255

Further to that, if you have "nat (INSIDE) 1 0 0" command, you would need to add "global (INSIDE) 1 interface" as well

WStoffel1 Thu, 11/29/2012 - 12:18

Yet another NAT issue I had recently and this was the exact fix.  Thanks Jennifer!

Actions

This Discussion