how to access outside IP of static map from inside

Posted on 2008-11-12
Last Modified: 2012-05-05
I have a typical setup with an ASA5520 inside, outside and dmz.

I have a server in the dmz which has dns enabled

My inside network is

I have a static map for an outside ip i'll call it to

I have all my nat and access lists setup for basic access as per the cisco guides so I can.

1. do a dns request from the inside network to the dmz address and get a response
2. do a dns request from the internet to the address and get a response

What I can't do is do a dns request from the inside to the address.  I see a lot of people talking about using dns rewrite to fix this, but that wouldn't work if you use the ip address like if you issue the command 'host' from an inside linux computer.  we actually run both internal and external dns servers so I can function like this but I was just wondering if there was a way to make this work.  I thought I came across a document once that told how to do this with another nat command but I can't seem to find it again.
Question by:rkk-cwright
    LVL 8

    Assisted Solution

    The ASA DNS rewrite function looks for DNS responses that return one of the static address translations that it is enabled for, and it replaces the outside NAT address that DNS returns with the inside (or DMZ) address as appropriate. In other words, if you nslookup or dig (from inside), and in outside DNS shows as, the firewall would see the respomnse to a DNS query containing as an answer and replace it with

    I'm assuming your host and it's "" NAT are a DNS resolver?

    In general, the ASA won't send traffic in and out the same interface unless you make it do it. (with the PIX before this it just couldnt, period.) What you are trying to do esentially looks like making a request from inside, that would have to go through NAT translation to the outside, then loop back in the same interface to hit the NAT of the DMZ box. Which is the same as making a request  to the DMZ box native address, really. But, it may work if you try adding this command to your config:

    same-security-traffic permit inter-interface

    Let me know if that works?


    Author Comment

    i already had that same-security-traffic statment

    the server in question is a dns resolver but yeah this would affect any servers.  Yeah the path of hte packet would seem to be inside -> outside -> outside -> dmz.  

    For some reason I thought there was a way to apply a nat statement to translate to on the inside interface, so that the packet would then go inside -> dmz just like it does when i address the server with it's local address.  I could've sworn I saw an example of this somewhere but I could just be dreaming it.
    LVL 8

    Accepted Solution

    It would be possible to NAT it that way from the CLI... but it's not a best-practice way of setting up the NAT, and it will confuse the heck out of your ASDM if you use it, that web GUI HATES stuff that looks like it should be outside coming from the inside...

    If you already have that same-security command exactly as I showed it above (that permit inter-interface is the critical part), then first check the firewall log, see what errors show up when you try to do your lookup that way. Maybe some spoofing thing? or a no translation group? I haven't tried this exact thing myself, but I suspect that due to the way the ASA does NAT, and how the process works with IP packets going from ingress traffic, to NAT, to ruleset, to egress traffic, then back in through the same process but on the outside interface, the firewall will see one of it's own IPs as a source attempting to connect to one of its other IPs, and classify it as a spoof attack and drop the traffic. Meaning there would effectively be no way around it ...


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now