Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA DNS Rewrite issue

Status
Not open for further replies.
ourrob

ourrob

Technical User
Apr 29, 2003
17
GB
We've got a strange DNS rewrite issue, we are upgrading from pix 6.3 firewalls ( old 515e's ) to new Cisco ASA 5540
running 7.08.

We've used the DNS rewrite function of the pix for years and its worked no problem ( essentially appended dns to the end of static ) and having the default fixup dns applied.

On our new firewall this just doesn't seem to work,
we have inspect dns on, and the same static applied.

Its just very odd, we've tried upgrading code doesn't make any difference.

We've stripped down the config to a single static to ensure
nothing else is getting in the way.

Has anyone else had this problem,
Is there any gotcha I've missed in the way this works between 6.3 and 7.x ?
 
Sort by date Sort by votes
post a sh run

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Here is an extract of the config ( i'm not going to post it all )

The server is a proxy server which we translate from a dmz network on a 192.168.8.21 address to a routeable 10.120.0.121 address on our WAN.

When connecting to this server from the WAN interface with 10.120.0.121 it works fine so I know the translation is working, when using the DNS name, it resolves the dmz address and so can't route to it.

In the syslog we can see the udp request coming into the server, but never see anything that refers to a dns rewrite and the address returned to the client is always the dmz 192.168.8.21.





!
hostname xxxx
domain-name xxxx
names
dns-guard



static (dmz,wan) 10.120.0.121 192.168.8.21 netmask 255.255.255.255 dns

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns maximum-length 512
inspect http
inspect ils
class class_ftp
inspect ftp
class class_http
inspect http
class class_http1
inspect http
class class_http2
inspect http
class class_http3
inspect http
class class_sqlnet
inspect sqlnet
class class_sqlnet4
inspect sqlnet
policy-map type
!
service-policy global_policy global
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
266
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
296
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
195
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
85
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
83
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top