• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 981
  • Last Modified:

ASA 5505 Config question

Hello all...

I am fairly new to ASA configurations... but I had a question.

In a config setup of:

hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

What exactly does the 'dns' do on line 3 exactly?  If I just want to setup a static route, it works without it, but what does it do, and do you want it or not?

Thanks
0
Bryan_
Asked:
Bryan_
  • 2
  • 2
2 Solutions
 
MikeKaneCommented:
Taken right from the command reference:
dns
      (Optional) Translates DNS replies. Be sure DNS inspection (inspect dns) is enabled (it is enabled by default). This option is not available if you specify the service keyword (for static NAT). For more information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.


In English:
If this internal IP makes dns replies, the ASA will rewrite the outbound packet to reflect the public ip in the translation rule.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
No. Not "if this internal ip"... If ANYONE on inside makes ANY DNS-request and the reply contains the global IP (2.2.2.2), the dns-reply will be rewritten to contain "1.1.1.1" instad of "2.2.2.2".

Best regards
Kvistofta
0
 
Bryan_Author Commented:
Thank you.

So for a web server to be used on that configuration, you would want the 'dns' set in that command.

Any reason to not do it?
0
 
MikeKaneCommented:
I run split dns, so i don't really need this.    My internal dns handles internal resolution.   My external dns for people outside, would give them the correct public IP.
0
 
Bryan_Author Commented:
Thanks for the clear and quick replies!!!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now