[c-nsp] ASA Static Translations / DNS Doctoring

Clue Store cluestore at gmail.com
Fri Jul 17 15:01:57 EDT 2009 

Hi Andrew,

Thanks for the reply. I understand the static function which was why I was
asking if there was a to do DNS doctoring via another method instead of the
static command. I take it that the answer is no. I also have the option of
mapping all domains to one public, but this at the administrators request
that it be done like this, so I do not have many options.

Anyways, I think your idea of using some secondary addresses might be my
easiest path. I just have to make sure I have enough on the inside to pull
it off.
Thanks,
Clue
On Fri, Jul 17, 2009 at 1:27 PM, Andrew Yourtchenko <ayourtch at cisco.com>wrote:

> On Fri, 17 Jul 2009, Clue Store wrote:
>
>  Hi All,
>>
>> I'm trying to do DNS doctoring on an asa and for specific reasons I need
>> to
>> map several different (public) outside IP's the one inside ip as shown
>> below.
>>
>> *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
>> dns*
>> *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255
>> dns*
>>
>
> With "static (inside,outside) AddrPublic AddrPrivate netmask
> 255.255.255.255 dns" in the config,
>
> you're saying:
>
> 1) when anyone tries to talk to AddrPublic from the outside, they will get
> to AddrPrivate on the inside
> 2) when AddrPrivate tries to talk to anyone on the outside, it will be seen
> there as AddrPublic
> 3) the DNS response containing AddrPrivate or AddrPublic, depending on
> where it is arriving, will have this address translated accordingly. (so the
> DNS server on the outside replying AddrPublic to someone on inside, will
> have this translated to AddrPrivate; and inside DNS server which replies the
> AddrPrivate to the outside, will have it translated to AddrPublic.)
>
> The (3) is what the "dns" keyword turns on when it is present.
>
> The symmetry of the behaviour prevents having 'many to one' behaviour that
> you are looking for - because then it would encounter the conflict or
> unpredictability when going outbound.
>
> The simplest way around is to grab a few secondary rfc1918 addresses and
> assign them to the host and do the mapping between those and the public
> addresses.
>
> For your /27 case, having 30 secondaries does not look terribly exciting,
> but assuming the host can survive that, it should do the trick.
>
> cheers,
> andrew
>
>

More information about the cisco-nsp mailing list