cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
219
Views
0
Helpful
4
Replies

S2S VPN and DNS NAT

I have researched and while I am not an expert, I can't find a solution, so I'm looking for some guidance.  Attached is a rough network diagram of what I am working with.  

If I am sitting in Site A and I query external DNS for "server.domain.com", the ASA rewrites the response back to me because of NAT.  Same for Site B and server.domain2.com, etc.  And it does make sense, if I am in Site C and I query for "server.domain.com" I should expect to receive the public Internet IP since the ASA I am behind is not doing the NAT for that subnet.  But, is it possible to actually do that, so if I am behind any of the ASA's, and I query for a DNS record on that publicly resolve to any of the NAT subnets, could I get back the real server address over the Site to Site ?

I look forward to the discussion, and thank you in advance for any help.

 

Joseph

4 Replies 4

Florin Barhala
Level 6
Level 6

Interesting question. So let's see I I got right your question: if you query for a domain and that server is not in the same network you are so that server is not part of site's NAT configuration you still want to receive it's private IP and not the public one, BECAUSE you can access it through a site-to-site VPN?

 

Can you share your current config in regard to this DNS doctoring that works for you now?

Yeah, that's the scenario.  Reason is we dev and host sites for clients, and 2 of the locations are cages in colos.  Currently we have to manage internal and external DNS for the same domains, and it is just a pain to manage, and sometimes the zones conflict each other because of the IP's.

 

For the DNS doctoring, I am simply using the DNS attribute of the NAT rules like:

 

object network pvt_10.0.20.20
 nat (inside,outside) static pub_XX.XXX.XX.XXX dns

 

and then the traffic inspection

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect ftp 
!

What if you add a NAT exempt rule or lately known as Identity NAT for the VPN traffic and add dns keyword at the end of it.

Yea I know what you mean, I went down that road too, but it wont catch it, because sitting in Site A for example, even if I do add that to the VPN NAT exempts, It does not capture the Site B public subnets that the DNS server is telling me the resource is at.  Like, the internal network of each site does not know or can't see the public network of the other 2 sites over the VPN.

Ideally, if Site A private network had like a virtual NAT to the site B public subnet, that is how I see it working.  Or some sort of multisite VPN controller that handled all the IP and NAT "in the cloud" I guess.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: