Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DNS NAT translation

We have currently using 3600 routers to do NAT translation at the edge of our network, and these are working fine. We have decided to move this process over to ASA5520's, and are in the process of doing this.

We have one problem though, and it is a major headache. We have our own internal DNS servers, which external sites use to resolve names internal to us. This works when using the routers, but not when using the ASAs.

The problem is that when an external site uses nslookup to resolve a site behind the firewall the reply given is the true IP address of the device rather than the NAT?d entry. We can find several documents on this, but they all tend to refer to having the DNS on the outside of your network.

Any ideas on resolving this would be gratefully appreciated.

6 REPLIES
Hall of Fame Super Blue

Re: DNS NAT translation

Hi

DNS inspection should sort his out for you but it should be on by default.

You don't say which version of the software you are running but attached is a link to ASA 7.2 command reference for dns inspect and it's uses.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1670620

HTH

Jon

Community Member

Re: DNS NAT translation

Hi Jon,

Thanks for reply we are testing it now. the software we are running is 7.2

Thanks,

Mike.

Hall of Fame Super Blue

Re: DNS NAT translation

Mike

No problem. Let me know how you get on.

Jon

Community Member

Re: DNS NAT translation

Hi Jon,

We have entered the following policy but are still getting the 'real' ip when an outside device queries the internal DNS server:

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns

The DNS server has a static NAT translation, as does the particular device we are testing.

e.g.

Static (inside, outside) 10.1.1.1 10.2.2.2 dns

Any ideas?

Mike.

Green

Re: DNS NAT translation

Mike,

Have you considered having the server resolve the addresses to the external addresses in the first place?

You could then hairpin users on the inside which would allow them to resolve to the external address as well.

Community Member

Re: DNS NAT translation

We have got the DNS inspection working now, but there does seem that a problem still persists.

People external to use can do successful DNS queries, but the TTL on the DNS entry is not being re-written. So after the NAT entry has expired after 30 minutes they have an invalid resolution.

Can anyone please advise on how to amend the TTL on DNS lookups?

968
Views
0
Helpful
6
Replies
CreatePlease to create content