RAMU CH
asked on
ASA-DNS Packet process
Hi,
I have Cisco ASA 5510 Firewall.
My System Is in ASA Inside Network with Private IP
My DNS is in Outside interface with Public IP
my queries are
If my PC requests any Cisco URL how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.
If DNS is inside then if i request for Cisco URL then how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.
Do i need to static NAT to my inside DNS to pubic IP or Forwarding to Public DNS is a solution ?
Regards
ramu
I have Cisco ASA 5510 Firewall.
My System Is in ASA Inside Network with Private IP
My DNS is in Outside interface with Public IP
my queries are
If my PC requests any Cisco URL how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.
If DNS is inside then if i request for Cisco URL then how the Packet process from ASA to DNS and back from DNS - ASA and to My PC-Cisco Site.
Do i need to static NAT to my inside DNS to pubic IP or Forwarding to Public DNS is a solution ?
Regards
ramu
ASKER
The DOC: is about DNS reply modification..
If my DNS reply comes back with Public IP address , do in need a access-list for the Inbound rule from DNS to My local host
For DNS traffic which port i need to allow for Inbound / outbound traffic in PIX/ASA
Why DNS is a UDP traffic because it will send the reply acknowledgements ?
Regards
Ramu
If my DNS reply comes back with Public IP address , do in need a access-list for the Inbound rule from DNS to My local host
For DNS traffic which port i need to allow for Inbound / outbound traffic in PIX/ASA
Why DNS is a UDP traffic because it will send the reply acknowledgements ?
Regards
Ramu
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thnaks
If the name-server is inside and the destination is outside, the request will go directly to the server and no NAT is needed. The server will respond with the public IP of the destination.
The complication is when the destination is NATed, such as an FTP server in your DMZ. The outside DNS server will only know the FTP server by its public address, but inside hosts will reach the FTP server on its private address. In that case, address translation must happen going through the ASA. See the section on DNS and NAT in the ASA configuration guide at http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1090556.