Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

UDP and NAT problem

DMZ = 172.16.1.0/24

Screened Subnet (behind ASA) = 172.16.3.0/24

I have numerous static NAT entries for HTTPS traffic to the 3.0 network, advertised on the outside as a 1.0 address.

The 1.0 network is a directly connected network between my border and the firewall.

We attempted to move one of our DNS servers behind the ASA to a 3.0 address, and continue to advertise it to the outside as a 1.0 address.

For some reason, this did not work. But it does work for TCP traffic. As soon as I put in a static route in the border router, forcing that IP to the firewall, traffic to the DNS server started flowing.

Is this because of the connectionless nature of UDP?

2 REPLIES
Bronze

Re: UDP and NAT problem

Dynamic allocation requires state information that is not always available. Although TCP state information can be easily tracked and controlled, UDP traffic offers no mechanism at the packet header level to determine whether a packet is part of an ongoing conversation or if it is an isolated event. In such cases, when NAT systems have no additional security support, they need to guess how long a particular translation should be maintained. Cisco IOS Firewall provides functionality to set idle time on UDP sessions to limit such cases.

New Member

Re: UDP and NAT problem

Try using DNS keyword with the static command , DNS keyword helps firewall to track DNC request

161
Views
5
Helpful
2
Replies
CreatePlease to create content