DNS Reply Modification

I have some ports forwarded to the outside interface on my ASA 5505. Here is an example:

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask

255.255.255.255

I want internal hosts to be able to connect to 191.168.1.2 by using DNS. I do not have a DNS server inside, so the hosts would have to use public DNS.

In the Cisco Security Appliance Command Line Configuration Guide I found something called DNS Reply Modification. I tried it:

static (inside,outside) x.x.x.x 192.168.1.2 netmask 255.255.255.255 dns (Where x.x.x.x is my outside ip address)

but got some sort of conflict:

WARNING: real-address conflict with existing static TCP inside:192.168.1.2/110 to outside:0.0.0.0/110 netmask

255.255.255.255

I only have one public ip address, which is why I had to use port forwarding. Perhaps that's the problem.

Is there any way to accomplish this?

Thanks

Reply to
tman
Loading thread data ...

The problem is that you have inside hosts which are trying to communicate with the outside IP address of the firewall. It will not work based on the security concepts of the firewall.

I bet that if you performed a DNS lookup by itself, such as using the Windows "nslookup" command, then you will find that the DNS lookup is successful. Then try to PING the outside IP address of your Cisco ASA firewall by specifying the PING command by IP address, not name. It will fail.

I suggest that you place an entry in the HOSTS file of your inside PCs so that the FQDN (fully qualified domain name) which you are trying to reach is really pointed to the inside IP address of that server.

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

| I have some ports forwarded to the outside interface on my ASA 5505. | Here is an example: | | static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask | 255.255.255.255 | | I want internal hosts to be able to connect to 191.168.1.2 by using | DNS. I do not have a DNS server inside, so the hosts would have to | use public DNS. | | In the Cisco Security Appliance Command Line Configuration Guide I | found something called DNS Reply Modification. I tried it: | | static (inside,outside) x.x.x.x 192.168.1.2 netmask 255.255.255.255 | dns (Where x.x.x.x is my outside ip address) | | but got some sort of conflict: | | WARNING: real-address conflict with existing static | TCP inside:192.168.1.2/110 to outside:0.0.0.0/110 netmask | 255.255.255.255 | | I only have one public ip address, which is why I had to use port | forwarding. Perhaps that's the problem. | | Is there any way to accomplish this?

Are you using both static statements at the same time?

You are on the right way with dns doctoring. You can read about it here

formatting link
Your static statement should look like this: static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 dns

I'm not shure wether this works with port forwarding but if it does the command should probably look like this:

static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask

255.255.255.255 dns
Reply to
Morph

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.