Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Question about NAT redirection

I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.

I plan to have three security zones:

SERVER_NETWORK 10.0.0.0/24

CLIENT_NETWORK 192.168.100.0/24

PUBLIC_NETWORK 200.200.200.0/24 (obfuscated intentionally)

I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.

SERVER01 (ip: 10.0.0.10) (External NAT: 200.200.200.10)

Externally, if you resolve "www.mycompanywebsite.com", DNS will return 200.200.200.10.

Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address (200.200.200.10) or browsed to that resouce, they would be able to reach SERVER01 too?

In other words, can I have NAT translations occur on both interfaces, public and client?

I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)

I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.

Any advice? Is this easily overcome now?

Thanks!

-Matt

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Question about NAT redirection

Hi Matt

Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Question about NAT redirection

Hi Matt

Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jon

New Member

Re: Question about NAT redirection

Thats perfect Jon.

Thank you.

173
Views
0
Helpful
2
Replies
CreatePlease to create content