26-21
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 26 Information About NAT
DNS and NAT
Note If you configure the mapped interface to be any interface, but you specify a mapped address
on the same network as one of the interfaces, then if an ARP request for that mapped address
comes in on a different interface, then you need to manually configure an ARP entry for that
network on the other interface where you specify the interface MAC address (see
Configuration > Device Management > Advanced > ARP > ARP Static Table). Typically, if
you specify any interface for the mapped interface, then you use a unique network for the
mapped addresses.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The adaptive security appliance uses proxy ARP to answer any
requests for mapped addresses, and thus it intercepts traffic destined for a real address.
See additional guidelines about mapped IP addresses in Chapter 27, “Configuring Network Object
NAT,” and Chapter 28, “Configuring Twice NAT.”
DNS and NAT
You might need to configure the adaptive security appliance to modify DNS replies by replacing the
address in the reply with an address that matches the NAT configuration. You can configure DNS
modification when you configure each translation.
This feature rewrites the A record, or address record, in DNS replies that match a NAT rule. For DNS
replies traversing from a mapped interface to any other interface, the A record is rewritten from the
mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped
interface, the A record is rewritten from the real value to the mapped value.
Note If you configure a twice NAT rule, you cannot configure DNS modification if you specify the source
address as well as the destination address. These kinds of rules can potentially have a different
translation for a single address when going to A vs. B. Therefore, the adaptive security appliance cannot
accurately match the IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does
not contain information about which source/destination address combination was in the packet that
prompted the DNS request.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the adaptive security appliance to statically translate the ftp.cisco.com
real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network.
(See Figure 26-18.) In this case, you want to enable DNS reply modification on this static rule so that
inside users who have access to ftp.cisco.com using the real address receive the real address from the
DNS server, and not the mapped address.
To Next Page
Loading...
