[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA-DNS Packet process

Posted on 2011-09-23
4
Medium Priority
?
444 Views
Last Modified: 2012-05-12
Hi,

I have Cisco ASA 5510 Firewall.
My System Is in ASA Inside Network with Private IP
My DNS is in Outside interface with Public IP

my  queries are

If my PC requests any Cisco URL how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.

If DNS is inside then if i request for Cisco URL then how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.

Do i need to static NAT to my inside  DNS to pubic IP or Forwarding to Public DNS is a solution ?

Regards
ramu

 

0
Comment
Question by:RAMU CH
  • 2
4 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36587253
If  the name-server is outside with a public IP and the destination is outside as well, then the request will be NATed at the ASA, the response will come back and then the host will have the real IP.  

If the name-server is inside and the destination is outside, the request will go directly to the server and no NAT is needed.  The server will respond with the public IP of the destination.  

The complication is when the destination is NATed, such as an FTP server in your DMZ.  The outside DNS server will only know the FTP server by its public address, but inside hosts will reach the FTP server on its private address.  In that case, address translation must happen going through the ASA.  See the section on DNS and NAT in the ASA configuration guide at http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1090556.

0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36591411
The DOC: is about DNS reply modification..

If my DNS reply  comes back with Public IP  address , do in need a access-list for the Inbound rule from DNS to My local host

For DNS traffic which port i need to allow for Inbound / outbound traffic in PIX/ASA
Why DNS is a UDP traffic because it will send the reply acknowledgements ?

Regards
Ramu
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37023774
Here is a nice article about DNS and setting up DNS inspection: http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 37111986
Thnaks
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question