NAT Problem from inside to inside with DNS entry (ASA)

Patrik Eberle · ‎07-06-2010

Hi Guy's

I have a problem with the solution for a Web-Portal on my ASA5520. I'd like to connect to a Web-Portal with the Public ip address. That sounds easy.

The Follow are the Situation:

1. The Web-Portal-Server is in the same Network as the Client.

2. The Connection have to open with the public DNS entry

3. the internal DNS Server have to be untouched.

example:

web.portal.com has the publich ip 1.1.1.1

the webserver has the internal ip 172.16.24.70

a exsist NAT-Rule ist installed like : static (INSIDE,OUTSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask 255.255.255.255 dns

Now I want from my Network 172.16.24.0/24 connect to my web-port with the DNS-Entry web.portal.com

What i have to do?

Thx for Replies

Jennifer Halim · ‎07-06-2010

With the existing "dns" keyword configured on the static statement, as well as dns inspection enabled on the ASA global_policy, plus if the DNS request and reply actually pass through the ASA, then your internal host should be receiving the private ip address of the web server when performing DNS resolution.

The above statement is true if your internal host is using external DNS server for the resolution of your web server: web.portal.com, and the DNS resolution goes through the ASA.

Basically what will happen is internal host performs DNS resolution, DNS request goes outbound towards the external DNS server. External DNS server will reply with the public ip address, and once the DNS reply passes through the ASA, ASA will inspect the DNS reply and modified the reply from the web server public ip address to private ip address. Once the internal host receives the DNS reply, the web.portal.com entry resolves to the private ip address.

Pls let me know if you are not using the external DNS server to resolve the web.portal.com DNS, and the DNS request/reply does not go through the ASA.

Patrik Eberle · ‎07-06-2010

should be possible, that the ASA have a DNS-IP address for the Checks ? It's sounds the only one reason that this service doesn't work.

I have installed this this dns Feature.

Jennifer Halim · ‎07-06-2010

Do you have "inspect dns" configured?

Are you using external dns server to resolve the web server dns?

Patrik Eberle · ‎07-06-2010

The Clients use a Internal DNS and the Firewall has not a DNS included yet.

The DNS Inspection is already included in the config.

Jennifer Halim · ‎07-06-2010

As advised earlier, the solution only works if the client uses external dns server and if the dns resolution goes through the ASA.

In your case, since the user is using the internal dns, I assume that the internal dns resolves the web server to the public ip address?

If that is the case, then you would need to configure the following as you can not make use of dns inspection feature in ASA:

same-security-traffic permit intra-interface

static (INSIDE,INSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask 255.255.255.255

Further to that, if you have "nat (INSIDE) 1 0 0" command, you would need to add "global (INSIDE) 1 interface" as well

WStoffel1 · ‎11-29-2012

Yet another NAT issue I had recently and this was the exact fix. Thanks Jennifer!