Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

using DNS NAT on ASA in reverse?

HI, i've just been faced with a routing issue with a third party which i'm hoping the nat dns feature will be able to help with, but i'd like some clarification if i can use it in the way i'm thinking of.

basically we have a 10.0.0.0/8 network, so do they, and we may have to reach literally *any* of those addresses purely based on the dns resolution that we get from their name servers. their failover model is that if siteA fails then they change their DNS to point at siteB basically, so we *MUST* keep resolving by their DNS servers, but we can not route to their IP's.

so with DNS NAT is it somehow possilbe to do the standard DNS lookup on their servers and then replace known IP addresses with a pre-natted equivalent IP which can then be used as a NAT into the third parties network, rather than it's original use of keeping the traffic from hitting the ASA at all? so rather than the DNS result that come back to the client being a local lan server, it's actually an address on the ASA which will then NAT the packets into the address that was originally in the DNS result that came back.

Sorry if this sounds confusing, but it's little clearer in my head at the moment. If this is possible i've a feeling that it may actually be a pretty neat way of doing it, but 'm not sure yet.

Thanks

Chris

3 REPLIES
New Member

Re: using DNS NAT on ASA in reverse?

New Member

Re: using DNS NAT on ASA in reverse?

New Member

Re: using DNS NAT on ASA in reverse?

well i've been looking at the two interface example, where traffic doesn't see the firewall again, so this does add a bit more, but it's not really what i mean. I have to confess my ASA NAT knowledge it's too hot, but based on the code in the example i think i'm suggesting a config like this:

static (inside,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns

static (outside,inside) 10.10.10.10 172.20.1.10 netmask 255.255.255.255

So I do a dns request for example.com which remotely resolves to 172.20.1.10. The ASA then converts it to 10.10.10.10. The packet from the client for 10.10.10.10 is then routed to the ASA and the second NAT sends it onwards to 172.20.1.10 by natting the destination and not the source as the first NAT by itself would do.

As above these are two private largely overlapping WAN's, but the source IP of the client is OK on the remote network, so no need to source NAT the outbound traffic.

Is this on the right track? it seems that the two NAT's will sit very uncomfortably with each other.

Thanks

Chris

152
Views
0
Helpful
3
Replies
CreatePlease to create content