HI, i've just been faced with a routing issue with a third party which i'm hoping the nat dns feature will be able to help with, but i'd like some clarification if i can use it in the way i'm thinking of.
basically we have a 10.0.0.0/8 network, so do they, and we may have to reach literally *any* of those addresses purely based on the dns resolution that we get from their name servers. their failover model is that if siteA fails then they change their DNS to point at siteB basically, so we *MUST* keep resolving by their DNS servers, but we can not route to their IP's.
so with DNS NAT is it somehow possilbe to do the standard DNS lookup on their servers and then replace known IP addresses with a pre-natted equivalent IP which can then be used as a NAT into the third parties network, rather than it's original use of keeping the traffic from hitting the ASA at all? so rather than the DNS result that come back to the client being a local lan server, it's actually an address on the ASA which will then NAT the packets into the address that was originally in the DNS result that came back.
Sorry if this sounds confusing, but it's little clearer in my head at the moment. If this is possible i've a feeling that it may actually be a pretty neat way of doing it, but 'm not sure yet.
well i've been looking at the two interface example, where traffic doesn't see the firewall again, so this does add a bit more, but it's not really what i mean. I have to confess my ASA NAT knowledge it's too hot, but based on the code in the example i think i'm suggesting a config like this:
static (inside,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
So I do a dns request for example.com which remotely resolves to 172.20.1.10. The ASA then converts it to 10.10.10.10. The packet from the client for 10.10.10.10 is then routed to the ASA and the second NAT sends it onwards to 172.20.1.10 by natting the destination and not the source as the first NAT by itself would do.
As above these are two private largely overlapping WAN's, but the source IP of the client is OK on the remote network, so no need to source NAT the outbound traffic.
Is this on the right track? it seems that the two NAT's will sit very uncomfortably with each other.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :