Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA DNS NAT and A Resource Record

Here is the scenario:

There's a LAN ( wich contains several servers, where each provides different services. All Services are NATed - static - there's only 1 public IP available (A.B.C.D).

One of these services is DNS. It is also the authorative DNS for the LAN, and the WAN regarding the 1 Domain it is reponsible for - let's call it simpsons.fam. Lets furhter assume we have:

  • mailserver1.simpsons.fam
  • mailserver2.simpsons.fam
  • nameserver1.simpsons.fam
  • www.simpsons.fam (for webcontent)
  • fans.simpsons.fam (another for webcontent)
  • shop.simpsons.fam (yet another for webcontent)
  • cucm1.simpsons.fam
  • unity1.simpsons.fam etc.

If this DNS (nameserver1.simpsons.fam) hasn't got the answer for the request from a LAN-Resolver (lets say Bart is browsing for it can itself ask other DNSs (like or so) to provide Barts computer with the proper IP2NAME-resolution. No WAN-DNS needs to be asked by Barts computer - his and other computers don't even know the IPs of any WAN-DNS - they direct all their questions to the namesever1.simpsons.fam.

So far so good

Ok - now there is me. I am sitting somewhere on this planet. I am such a hughe fan, so I want to buy something in the online shop. I open a browser type shop.simpsons.fam. This works out all fine but what must have happened before?

Other DNS-Servers must have asked (and also will ask) the simpson.fam-LAN eq. simpsons.fam-Domain to fill up their databases. The ASA represents the gateway. Like any other service the DNS is also NATed, thus the packet will receive translation (while traversing) into the LAN-address of the DNS and is forwarded to it. The DNS answer would look like this: "Hi WAN-DNS, you'll find shop.simpsons.fam at the IP of with the port 80". He'll put in an IP-packet and send it to the ASA. The ASA then has to alter the nameserver1.simpsons.fam answer (not only on Layer3 but also on Layer 7) to: "Hi WAN-DNS, you'll find shop.simpsons.fam at the IP of A.B.C.D with the port 80".

I've tried this scenario but the ASA won't translate DNS up into the Application-Layer - which it should do, like I believe. I also remember very cleary Jeff Doyle in his "Routing TCP IP Volume II" saying that Cisco-NAT is aware of this scenario and will provide Application-Layer-Translation. There's also this document about DNS-Doctoring that mentions this scenario.

However, the results I received paint a different picture. If I do nslookups from internet to the ASA I see the LAN-address of the services! The global policy has DNS-inspection enabled (which is a requirement anyway, as I read). What am I missing? This is not the scenario for DNS-rewrite!

Thank you for your attention