DNS-doctoring with Cisco ASA 5505

Post by: Kurt-Erik Karlsen    Date: 14/05/2009    Category: Network infrastructure, Technology

On an Cisco ASA, if you have an internal server with a NAT rule to the outside interface, you will not be able to access this server from the inside.

There are two solutions to resolve this problem:

 

DNS doctoring

  1. You can use DNS doctoring by doing the following (cannot be used with PAT rules):
    In ASDM go to: configuration -> Firewall -> NAT Rules -> Edit Static NAT -> Connection Settings and check the “Translate the DNS replies that match the translation rules”.

 

Hairpinning

  1. Activate traffic between two interfaces (Hairpinning with static NAT):
    In ASDM go to: Configuration -> Device setup and check the “Enable traffic between two or more hosts connected to the same interface”

    For a PAT rule, create a new static PAT under “NAT Rules”.
    Original
    Interface: inside
    Source: internal server

    Translated
    Interface: inside
    Use IP Address: external IP to outside interface

    If a PAT rule is used on the other NAT rule, then use the same settings there too.

  2. Additionally we have to change the dynamic NAT rule that translates the internal ip-address to the outside interface.

    Edit Dynamic NAT Rule -> Manage -> Add and then add a new Global Address Pool:

  3. Interface: inside
    Pool: 1
    Port Address Translation (PAT) using IP Address of the interface

 

DNS doctoring should be used instead of hairpinning because it doesn’t increase the volume of traffic for the firewall.

Source for DNS doctoring and hairpinning configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Written by

1 Comments to “DNS-doctoring with Cisco ASA 5505”

  1. gratefull says:

    Thanks!! I had been looking up how to solve this problem for a while. Simple, nice solution.

Leave a Reply

Message