I have an ASA5510 with 3 interfaces : inside, outside,dmz.
In the DMZ, a McAfee Web and Security Appliance acting as a proxy (called srv-proxy, IP=192.168.127.52).
srv-proxy is natted to INTERNET (public IP address).
I'd like the srv-proxy to solve DNS requests on some extern DNS servers (srv-dns-oleane).
Here's the simple configuration to do this:
static (dmz,outside) INTERNET srv-proxy netmask 255.255.255.255
access-list acl-dmz_public extended permit udp dmz_public 255.255.255.0 object-group srv-dns-oleane eq domain log
By monitoring with ASDM, I can
opendns2 53 srv-proxy 5594 Built outbound connection 776 for outside:opendns(opendns2/53) to dmz:srv-proxy/5594(INTERNET/5594)
srv-proxy 5596 opendns2 53 access-list acl-dmz_public permitted udp dmz/srv-proxy(5594)->outside/opendns2(53) hit-cnt1 first hit
With "show nat" and "show xlate", I can see that the nat isworking.
However, on the "srv-proxy", "nslookup www.google.com" does't work.
I have an old PIX515E? with the same configuration, it works.
Do you have any idea ?
The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 184.108.40.206 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.
Hope this helps.