[c-nsp] ASA Static Translations / DNS Doctoring
Andrew Yourtchenko
ayourtch at cisco.com
Fri Jul 17 14:27:54 EDT 2009
On Fri, 17 Jul 2009, Clue Store wrote:
> Hi All,
>
> I'm trying to do DNS doctoring on an asa and for specific reasons I need to
> map several different (public) outside IP's the one inside ip as shown
> below.
>
> *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
> dns*
> *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255
> dns*
With "static (inside,outside) AddrPublic AddrPrivate netmask
255.255.255.255 dns" in the config,
you're saying:
1) when anyone tries to talk to AddrPublic from the outside, they will get to AddrPrivate on the inside
2) when AddrPrivate tries to talk to anyone on the outside, it will be seen there as AddrPublic
3) the DNS response containing AddrPrivate or AddrPublic, depending on
where it is arriving, will have this address translated accordingly. (so
the DNS server on the outside replying AddrPublic to someone on inside,
will have this translated to AddrPrivate; and inside DNS server which
replies the AddrPrivate to the outside, will have it translated to
AddrPublic.)
The (3) is what the "dns" keyword turns on when it is present.
The symmetry of the behaviour prevents having 'many to one' behaviour
that you are looking for - because then it would encounter the conflict or
unpredictability when going outbound.
The simplest way around is to grab a few secondary
rfc1918 addresses and assign them to the host and do the mapping between
those and the public addresses.
For your /27 case, having 30 secondaries does not look terribly exciting,
but assuming the host can survive that, it should do the trick.
cheers,
andrew
More information about the cisco-nsp
mailing list