Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS Doctoring issue - ASA 5540

I am in the process of setting up a segrated Guest Wifi network in my office and in doing so realized that I can not access my NAT'd externally facing web servers through this network. This guest network is using 8.8.8.8 for DNS and is properly resolving the external IP for the servers, but the pages refuse to load. If I go directly to the Private IP of the servers, the pages load. These NAT'd servers are on the DMZ interface of my ASA, whereas the "Guest network" resides on the Internal interface.

I came accross this: "By default the Cisco ASA will not allow packet redirection on the same interface (outside) which is tried by the guest client trying to access the DMZ server by its NAT’d public IP address.", which perfectly describes my issue. The article goes on to say that my checking the "Translate the DNS replies that match the translation rule" box (enable DNS Doctoring) in the NAT rule, the ASA would essentially rewrite the external IP to the private IP. This however is not working and the pages still won't come up.

Am I not understanding this right? What am I missing from this set up?

1 ACCEPTED SOLUTION

Accepted Solutions

DNS Doctoring issue - ASA 5540

Hello Tom,

If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.

EX

static (dmz,inside) public ip private ip

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES

DNS Doctoring issue - ASA 5540

Hello Tom,

If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.

EX

static (dmz,inside) public ip private ip

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: DNS Doctoring issue - ASA 5540

Oh, I didn't even think of that...

I had to do:

     static (outside,dmz) public ip private ip

actually, but it worked perfectly, thanks!

EDIT: Worked for a short period of time, then stopped working.

DNS Doctoring issue - ASA 5540

Hello Tom,

Great to see that

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

DNS Doctoring issue - ASA 5540

I'm not really sure what happened here, but after I finished writing out all of the static nat rules, this stopped working. None of them load anymore. I don't know whats going on here, weird.

211
Views
0
Helpful
4
Replies
CreatePlease login to create content