8.4(3)
I need to outside PAT all incoming UDP (SIP/RTP) traffic from outside to an internal IP. The following command makes it work:
nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp
But it breaks DNS resolution from inside. If I add the above command and try to nslookup from inside to an outside DNS server
64.90.175.90, DNS times out. If I remove the above nat command, it works again. It seems like even though DNS UDP originates from inside which should create a statefull connection, ASA still messes with return DNS responses.
I then tried to create an "exclusion" for that IP with the following:
object-group network nat-exclusions
network-object host 64.90.175.90
!
nat (outside,inside) source static nat-exclusions nat-exclusions
but it's not working.
I also tried:
nat (outside,inside) source static nat-exclusions nat-exclusions unidirectional
Also not working.
Any suggestions? How can outside-PAT all UDP traffic excluding DNS.