cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
404
Views
0
Helpful
1
Replies

outside-PAT all UDP traffic, but exclude DNS

Roman Rodichev
Level 7
Level 7

8.4(3)

I need to outside PAT all incoming UDP (SIP/RTP) traffic from outside to an internal IP. The following command makes it work:

nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp

But it breaks DNS resolution from inside. If I add the above command and try to nslookup from inside to an outside DNS server

64.90.175.90, DNS times out. If I remove the above nat command, it works again. It seems like even though DNS UDP originates from inside which should create a statefull connection, ASA still messes with return DNS responses.

I then tried to create an "exclusion" for that IP with the following:

object-group network nat-exclusions

network-object host 64.90.175.90

!

nat (outside,inside) source static nat-exclusions nat-exclusions

but it's not working.

I also tried:

nat (outside,inside) source static nat-exclusions nat-exclusions unidirectional

Also not working.

Any suggestions? How can outside-PAT all UDP traffic excluding DNS.

1 Reply 1

Roman Rodichev
Level 7
Level 7

TAC was able to help. I needed this:

object network exclusions

host 64.90.175.90

!

nat (inside,outside) source dynamic any interface destination static exclusions exclusions

nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: