Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS doctoring in 8.4

I currently have a NAT statement on my firewall for a public facing server which looks like this:

nat (any,any) source static any any destination static server_ext_ip server_int_ip

Typically I believe this would be better off as an object NAT but for now this works, however I need my inside clients to access this server via it's external/public IP. I am using an external DNS server. Would simply adding the "dns" command at the end of this solve my issue?

 

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

If the URL your users are

If the URL your users are using to access the server resolves to the public IP and your DNS server is external, then adding the dns keyword at the end of the NAT statement will solve your issue.

Also keep in mind that if the server is located off a different ASA interface (i.e. in a DMZ) then you need to make sure that your inside interface ACL permits traffic to the private IP of the server.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
3 REPLIES

HiIf you want users to access

Hi

If you want users to access the server through the public IP, just leave it as it is. DNS rewrite, rewrites the DNS response so that users can access the server through the local IP address instead of the public.

VIP Green

If the URL your users are

If the URL your users are using to access the server resolves to the public IP and your DNS server is external, then adding the dns keyword at the end of the NAT statement will solve your issue.

Also keep in mind that if the server is located off a different ASA interface (i.e. in a DMZ) then you need to make sure that your inside interface ACL permits traffic to the private IP of the server.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I applied the "dns" command

I applied the "dns" command to my NAT statements and it is now working as needed. I did have to change the statement from:

nat (any,any) source static any any destination static server_ext_ip server_int_ip

to

nat (any,any) source static server_ext_ip server_int_ip dns

108
Views
0
Helpful
3
Replies