Does anyone know if DNS doctoring is supported in the newer 8.3 code? It looks like you can append the dns keyword to a nat translation and if you inpsect DNS the ASA will "un-nat" the connection, according to some of the 8.3 cli documentation I've read, but it doesn't work for me.
nat (inside,outside) source static COMM-USWEB_192.168.10.18 COMM-USWEB_184.108.40.206 dns
it looks like the traffic is not crossing the asa. I don't understand that though. I have clients on the inside trying to access a web server that sits on the inside as well, but has no internal DNS entry. So those clients use the internal DNS server, which forwards the request to the Internet and gives the public IP, but of course that's the traffic that is being denied by the ASA and is what DNS doctoring is supposed to fix. Why wouldn't the DNS traffic be crossing the ASA? My access list on the inside interface allows both tcp and udp dns.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...