Cisco Cisco ASA 5580 Adaptive Security Appliance Manual Técnica

This diagram is an example of this situation. In this case, the client at 192.168.100.2 wants to use the
server.example.com URL in order to access the WWW server at 10.10.10.10. DNS services for the client are
provided by the external DNS server at 172.22.1.161. Because the DNS server is located on another public
network, it does not know the private IP address of the WWW server. Instead, it knows the WWW server
mapped address of 172.20.1.10. Thus, the DNS server contains the IP−address−to−name mapping of
server.example.com to 172.20.1.10.

Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the
IP address of server.example.com, it is unable to access the WWW server. This is because the client receives
an A−record that contains the mapped public address of 172.20.1.10 for the WWW server. When the client
tries to access this IP address, the security appliance drops the packets because it does not allow packet
redirection on the same interface. Here is what the NAT portion of the configuration looks like when DNS
doctoring is not enabled:

ASA Version 9.x

!

hostname ciscoasa

access−list OUTSIDE extended permit tcp any host 10.10.10.10 eq www

object network obj−192.168.100.0

network 192.168.100.0 255.255.255.0

nat (inside,outside) dynamic interface

object network obj−10.10.10.10