Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

DNS and NAT problem

Hello, I have a  problem with the DNS. Three zones: outside, dmz, inside. Users of a DMZ-VLAN are using an  external DNS server, but they must be able to access the internal mail server (inside). When trying to resolve the mail server IP, the DNS  gives them the public IP, but they have to convert it to an internal IP to access inside server.

How can I resolve that?

Thanks

4 REPLIES
Cisco Employee

Re: DNS and NAT problem

You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.

Example:

Mail server private ip: 10.0.0.8

Mail server NATed (public ip) 200.0.0.8

static (inside,outside) 200.0.0.8 10.0.0.8 netmask 255.255.255.255 dns

Before testing it again, please make sure you flush the dns entry on the dmz host.

Hope that helps.

New Member

Re: DNS and NAT problem

Hi, but my users are not in inside, they are external wireless users and they are in dmz, dns server is outside and email server is inside.

I think this "static (inside,outside)" command is nothing for a dmz user, or not?

Thanks

Cisco Employee

Re: DNS and NAT problem

You advised that external wireless users are connected to the DMZ and dns server is on the outside. So will wireless users resolve dns using the outside dns server, and the dns request and reply actually goes through the ASA from DMZ to outside interface? If the dns resolution goes through the ASA firewall, then my solution previously is the correct solution, exactly the same as the following sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Based on the sample configuration:

- Your internal mail server would be the www server in DMZ.

- Both dns server for sample config and your config are on the outside of the ASA.

- Both users, your wireless users, and sample config inside users are on a different interface than the actual server.

If the DNS resolution does not actually pass through the ASA, then you would need to configure the following:

static (dmz,inside) 10.0.0.8 200.0.0.8 netmask 255.255.255.255

Hope that helps.

New Member

Re: DNS and NAT problem

Thanks.

1525
Views
8
Helpful
4
Replies
CreatePlease to create content