Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

DNS Issue due to translation

Hey Everyone,

I am facing a DNS issue due to NAT, i think dns doctoring can solve this but the scenario is a little different so not sure of the exact solution.

Attached is the network diagram. Exchange Server , DNS and Domain Controller are all located on a single physical server which has an IP 172.20.10.100. Both the server and the intenal users reside on the inside subnet. In the DNS the name-to-IP mapping is for example srv.abc.com -> 172.20.10.100. The Inside users have no connectivity issue.

The server is translated to 192.168.100.20 when accessing the outside network, this is a static translation

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255

The Branch users when they access they try to resolve srv.abc.com get the mapping to 172.20.10.100 which does not allow communication using name as Branch users cannot access 172.20.10.100 but they can access 192.168.100.20.

What needs to be configured on the ASA to resolve this issue ?

will this work

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask  255.255.255.255 dns

??

Thanks

Zeeshan

9 REPLIES
Cisco Employee

Re: DNS Issue due to translation

Yes, dns doctoring will work as long as the branch user uses 192.168.100.20 as its dns server for dns resolution.

Re: DNS Issue due to translation


halijenn

It didn't work. I specified the command using dns keyword and flushed the DNS on the Branch host, the host still resolves the name of the server to 172.20.10.100. Is there any other thing which needs to be done.

Thanks

Zeeshan Sanaullah

Cisco Employee

Re: DNS Issue due to translation

Is the user using the public ip address of the HQ dns server for dns resolution? It will only work if the dns request passes through the HQ ASA where the static with "dns" keyword is configured, and the reply goes back through the ASA as well.

Can you please confirm what DNS server is used at your branch host?

Re: DNS Issue due to translation

The Branch user has 192.168.100.20 configured as the DNS Server. Yes the DNS request passes through the ASA.

Cisco Employee

Re: DNS Issue due to translation

Is dns inspection also enabled on the HQ ASA?

Re: DNS Issue due to translation

DNS Inspection is on ... as shown below

class-map inspection_default

match default-inspection-traffic

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect esmtp
  inspect dns
  inspect http

Cisco Employee

Re: DNS Issue due to translation

Remove the "dns" keyword from the static. This should resolve the issue.

The inside hosts are getting resolution from the inside DNS and they are wroking fine.

The outside folks do not need to get the inside IP upon resolving so, remove the dns keyword from the static.

-KS

Re: DNS Issue due to translation

@kusankar

The actual configuration is without dns keyword. I added dns keyword to see if the issue resolves but it did not.

Outside hosts when they resolve srv.abc.com they get 172.20.10.100 but they should get 192.168.100.20 after dns keyword is entered.

@halijenn

The ASA OS version is 7.07  ... can it be software issue ???

Thanks

Zeeshan

Cisco Employee

Re: DNS Issue due to translation

Can you temporarily just remove dns inspection and see if this works. If it does then we can exclude dns inspection for this remote network and add dns inspection for all other traffic.

-KS

326
Views
0
Helpful
9
Replies
CreatePlease to create content