Cisco Cisco ASA 5525-X Adaptive Security Appliance Manuale Tecnico
Configure DNS Doctoring for Three NAT Interfaces
on ASA Release 9.x
on ASA Release 9.x
Document ID: 72273
Contributed by Shrinkhala Singhania, Vibhor Amrodia, and Dinkar
Sharma, Cisco TAC Engineers.
May 27, 2015
Sharma, Cisco TAC Engineers.
May 27, 2015
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Background Information
Scenario: Three NAT Interfaces − Inside, Outside, DMZ
Topology
Problem: Client Cannot Access the WWW Server
Solution: "dns" Keyword
DNS Doctoring with the "dns" Keyword
Version 8.2 and Earlier
Version 8.3 and Later
Verify
Final Configuration with the "dns" Keyword
Alternative Solution: Destination NAT
Final Configuration with Destination NAT
Configure
Verify
Capture DNS Traffic
Troubleshoot
DNS Rewrite Is Not Performed
Translation Creation Failed
Related Information
Prerequisites
Requirements
Components Used
Related Products
Background Information
Scenario: Three NAT Interfaces − Inside, Outside, DMZ
Topology
Problem: Client Cannot Access the WWW Server
Solution: "dns" Keyword
DNS Doctoring with the "dns" Keyword
Version 8.2 and Earlier
Version 8.3 and Later
Verify
Final Configuration with the "dns" Keyword
Alternative Solution: Destination NAT
Final Configuration with Destination NAT
Configure
Verify
Capture DNS Traffic
Troubleshoot
DNS Rewrite Is Not Performed
Translation Creation Failed
Related Information
Introduction
This document provides a sample configuration to perform Domain Name System (DNS) doctoring on the
ASA 5500−X Series Adaptive Security Appliance (ASA) that uses Object/Auto Network Address Translation
(NAT) statements. DNS doctoring allows the security appliance to rewrite DNS A−records.
ASA 5500−X Series Adaptive Security Appliance (ASA) that uses Object/Auto Network Address Translation
(NAT) statements. DNS doctoring allows the security appliance to rewrite DNS A−records.
DNS rewrite performs two functions:
Translates a public address (the routable or mapped address) in a DNS reply to a private address (the
real address) when the DNS client is on a private interface.
real address) when the DNS client is on a private interface.
•
Translates a private address to a public address when the DNS client is on the public interface.
•