Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
4
Replies

DNS Doctoring issue - ASA 5540

Go to solution
Phill Hodges
Level 1
Level 1

‎12-12-2013 06:06 AM - edited ‎03-11-2019 08:17 PM

I am in the process of setting up a segrated Guest Wifi network in my office and in doing so realized that I can not access my NAT'd externally facing web servers through this network. This guest network is using 8.8.8.8 for DNS and is properly resolving the external IP for the servers, but the pages refuse to load. If I go directly to the Private IP of the servers, the pages load. These NAT'd servers are on the DMZ interface of my ASA, whereas the "Guest network" resides on the Internal interface.

I came accross this: "By default the Cisco ASA will not allow packet redirection on the same interface (outside) which is tried by the guest client trying to access the DMZ server by its NAT’d public IP address.", which perfectly describes my issue. The article goes on to say that my checking the "Translate the DNS replies that match the translation rule" box (enable DNS Doctoring) in the NAT rule, the ASA would essentially rewrite the external IP to the private IP. This however is not working and the pages still won't come up.

Am I not understanding this right? What am I missing from this set up?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-12-2013 06:19 AM

Hello Tom,

If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.

EX

static (dmz,inside) public ip private ip

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-12-2013 06:19 AM

Hello Tom,

If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.

EX

static (dmz,inside) public ip private ip

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Phill Hodges
Level 1
Level 1
In response to Julio Carvajal

‎12-12-2013 06:30 AM

Oh, I didn't even think of that...

I had to do:

     static (outside,dmz) public ip private ip

actually, but it worked perfectly, thanks!

EDIT: Worked for a short period of time, then stopped working.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-12-2013 06:32 AM

Hello Tom,

Great to see that

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Phill Hodges
Level 1
Level 1
In response to Julio Carvajal

‎12-12-2013 01:03 PM

I'm not really sure what happened here, but after I finished writing out all of the static nat rules, this stopped working. None of them load anymore. I don't know whats going on here, weird.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card