Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Perform DNS Doctoring with the static cmd and 3 NAT Intf

I have the same scemario as in the example mentioned by the link below, but it doesnt work. I have opend a case with Cisco, got to tier 3 with no resolution ...

I basically need to access from inside my DMZ servers on both the public and the dmz IPs. Cannot make it work. I can only make it work for one of the IP (either the dmz or the public IPs).

Anyone who ran into this and could share the fix ?

Much appreciated !

Constantin

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

4 REPLIES
Gold

Re: Perform DNS Doctoring with the static cmd and 3 NAT Intf

can you tell us what you've tried, and maybe post any configs that you've tried? just to be sure, dns inspection is turned on?

Community Member

Re: Perform DNS Doctoring with the static cmd and 3 NAT Intf

Well, I have tried destination NAT and it didnt work, then I have tried DNS doctoring, same.

And then I have tried both, no luck.

My config is similar to what the example shows (just the IPs are different).

As for the destination NAT I have tried multiple combinations (dmz-inside, outside-dmz).

(And of course I have issued the clear-xlate commnand after each change :-))

Green

Re: Perform DNS Doctoring with the static cmd and 3 NAT Intf

Destination nat does work.

dmz ip = 192.168.1.1

public ip = 1.1.1.1

static (dmz,inside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

This will allow you to hit the server from the inside with 1.1.1.1 only. You will not be able to use one or the other or both at the same time.

Community Member

Re: Perform DNS Doctoring with the static cmd and 3 NAT Intf

Thank you.

This is what I have experienced as well.

The thing is that on the PIX 6.3.5 I am able to hit both the public and the dmz IPs at the same time (alias command).

When we "upgraded" to the asa 7.x, the alias command stopped working and we ended up with issue described.

The network has now been put back on the PIX to allow the business to work but I will have to find a solution soon.

412
Views
0
Helpful
4
Replies
CreatePlease to create content