There's a LAN (172.20.0.0/12) wich contains several servers, where each provides different services. All Services are NATed - static - there's only 1 public IP available (A.B.C.D).
One of these services is DNS. It is also the authorative DNS for the LAN, and the WAN regarding the 1 Domain it is reponsible for - let's call it simpsons.fam. Lets furhter assume we have:
www.simpsons.fam (for webcontent)
fans.simpsons.fam (another for webcontent)
shop.simpsons.fam (yet another for webcontent)
If this DNS (nameserver1.simpsons.fam) hasn't got the answer for the request from a LAN-Resolver (lets say Bart is browsing for www.cisco.com) it can itself ask other DNSs (like 188.8.131.52 or so) to provide Barts computer with the proper IP2NAME-resolution. No WAN-DNS needs to be asked by Barts computer - his and other computers don't even know the IPs of any WAN-DNS - they direct all their questions to the namesever1.simpsons.fam.
So far so good
Ok - now there is me. I am sitting somewhere on this planet. I am such a hughe fan, so I want to buy something in the online shop. I open a browser type shop.simpsons.fam. This works out all fine but what must have happened before?
Other DNS-Servers must have asked (and also will ask) the simpson.fam-LAN eq. simpsons.fam-Domain to fill up their databases. The ASA represents the gateway. Like any other service the DNS is also NATed, thus the packet will receive translation (while traversing) into the LAN-address of the DNS and is forwarded to it. The DNS answer would look like this: "Hi WAN-DNS, you'll find shop.simpsons.fam at the IP of 172.20.1.1 with the port 80". He'll put in an IP-packet and send it to the ASA. The ASA then has to alter the nameserver1.simpsons.fam answer (not only on Layer3 but also on Layer 7) to: "Hi WAN-DNS, you'll find shop.simpsons.fam at the IP of A.B.C.D with the port 80".
I've tried this scenario but the ASA won't translate DNS up into the Application-Layer - which it should do, like I believe. I also remember very cleary Jeff Doyle in his "Routing TCP IP Volume II" saying that Cisco-NAT is aware of this scenario and will provide Application-Layer-Translation. There's also this document about DNS-Doctoring that mentions this scenario.
However, the results I received paint a different picture. If I do nslookups from internet to the ASA I see the LAN-address of the services! The global policy has DNS-inspection enabled (which is a requirement anyway, as I read). What am I missing? This is not the scenario for DNS-rewrite!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...