10-05-2015 10:51 PM
I have researched and while I am not an expert, I can't find a solution, so I'm looking for some guidance. Attached is a rough network diagram of what I am working with.
If I am sitting in Site A and I query external DNS for "server.domain.com", the ASA rewrites the response back to me because of NAT. Same for Site B and server.domain2.com, etc. And it does make sense, if I am in Site C and I query for "server.domain.com" I should expect to receive the public Internet IP since the ASA I am behind is not doing the NAT for that subnet. But, is it possible to actually do that, so if I am behind any of the ASA's, and I query for a DNS record on that publicly resolve to any of the NAT subnets, could I get back the real server address over the Site to Site ?
I look forward to the discussion, and thank you in advance for any help.
Joseph
10-06-2015 02:46 AM
Interesting question. So let's see I I got right your question: if you query for a domain and that server is not in the same network you are so that server is not part of site's NAT configuration you still want to receive it's private IP and not the public one, BECAUSE you can access it through a site-to-site VPN?
Can you share your current config in regard to this DNS doctoring that works for you now?
10-06-2015 04:07 AM
Yeah, that's the scenario. Reason is we dev and host sites for clients, and 2 of the locations are cages in colos. Currently we have to manage internal and external DNS for the same domains, and it is just a pain to manage, and sometimes the zones conflict each other because of the IP's.
For the DNS doctoring, I am simply using the DNS attribute of the NAT rules like:
object network pvt_10.0.20.20
nat (inside,outside) static pub_XX.XXX.XX.XXX dns
and then the traffic inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
10-06-2015 04:17 AM
What if you add a NAT exempt rule or lately known as Identity NAT for the VPN traffic and add dns keyword at the end of it.
10-06-2015 04:25 AM
Yea I know what you mean, I went down that road too, but it wont catch it, because sitting in Site A for example, even if I do add that to the VPN NAT exempts, It does not capture the Site B public subnets that the DNS server is telling me the resource is at. Like, the internal network of each site does not know or can't see the public network of the other 2 sites over the VPN.
Ideally, if Site A private network had like a virtual NAT to the site B public subnet, that is how I see it working. Or some sort of multisite VPN controller that handled all the IP and NAT "in the cloud" I guess.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: