DNS query to internal DNS server from static NAT host

Discussion in 'Cisco' started by none, Apr 24, 2006.

  1. none

    none Guest

    I had my workstation setup on a static NAT address with the following ...

    static (inside,outside) 1.2.3.4 10.16.61.247 netmask 255.255.255.255

    and the following ACL applied to the outside interface ...

    access-list outside_access_in extended permit tcp any host 1.2.3.4 eq
    3389

    under PIX 7.0 software - with this in place my workstation can't do a
    DNS lookup using an internal DNS server.

    What do I need to make this work? I have a very similar setup in PIX 6.3
    working.

    TIA
     
    none, Apr 24, 2006
    #1
    1. Advertising

  2. none

    Guest

    You weren't very clear here as to whether you workstation and DNS
    server are on the Inside or Outside.
    Also note that although there is an explicit PERMIT from a higher
    security interface (Inside) to lower security (Outside), if you have
    any ACL applied inbound on the Inside then that explicit PERMIT is
    gone. You have to allow the DNS (UDP 53) in your ACL.
    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/intparam.htm#wp1043290

    Steve Griffin
    www.blueconsole.com (Bluetooth Wireless Console Cable)
     
    , Apr 24, 2006
    #2
    1. Advertising

  3. none

    none Guest

    On Sun, 23 Apr 2006 18:24:09 -0700, info wrote:

    > You weren't very clear here as to whether you workstation and DNS
    > server are on the Inside or Outside.


    DNS and workstation are both inside - and a "permit ip any any" ACL is
    applied in to the inside interface.
     
    none, Apr 24, 2006
    #3
  4. none

    none Guest

    Re: DNS query to internal DNS server from static NAT host - RESOLVED

    On Sun, 23 Apr 2006 21:04:04 -0400, none wrote:


    > I had my workstation setup on a static NAT address with the following
    > ...
    >
    > static (inside,outside) 1.2.3.4 10.16.61.247 netmask 255.255.255.255
    >
    > and the following ACL applied to the outside interface ...
    >
    > access-list outside_access_in extended permit tcp any host 1.2.3.4 eq
    > 3389
    >
    > under PIX 7.0 software - with this in place my workstation can't do a
    > DNS lookup using an internal DNS server.
    >
    > What do I need to make this work? I have a very similar setup in PIX
    > 6.3 working.
    >
    > TIA


    Found the fix ...

    Needed this instead

    static (inside,outside) tcp 1.2.3.4 3389 10.16.61.247 3389 netmask
    255.255.255.255

    Thanks!
     
    none, Apr 24, 2006
    #4
  5. none

    rave Guest

    Re: DNS query to internal DNS server from static NAT host - RESOLVED

    this cannot be the fix. what you are doing here is port redirection.
    earlier you were mapping a one to one ip.
    this cannot be the fix, you are missing something here.
     
    rave, Apr 24, 2006
    #5
  6. none

    none Guest

    Re: DNS query to internal DNS server from static NAT host - RESOLVED

    On Mon, 24 Apr 2006 15:52:53 -0700, rave wrote:

    > this cannot be the fix. what you are doing here is port redirection.
    > earlier you were mapping a one to one ip. this cannot be the fix, you
    > are missing something here.


    Thanks for making me think harder on why it worked ...

    Yes it resolved my problem but I actually originally misdiagnosed the
    problem, as it looked like a DNS issue because that's the error I got back
    from my browser (stupid Micro$oft browser!) - actually the DNS lookup was
    working - it was the return of the web page to my desktop that was not
    being allowed to come back because the only inbound port open was
    3389.

    PAT is actually what I wanted to do - I'm not sure how I got the original
    statement - I must have been half asleep while doing the configuration
    yesterday.
     
    none, Apr 25, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike

    internal to internal NAT?

    Mike, Apr 19, 2004, in forum: Cisco
    Replies:
    1
    Views:
    714
  2. JoelSeph
    Replies:
    9
    Views:
    6,831
    JoelSeph
    Jan 23, 2006
  3. eric the brave
    Replies:
    0
    Views:
    1,178
    eric the brave
    Mar 5, 2006
  4. Lars Bonnesen
    Replies:
    9
    Views:
    7,412
    chris
    Apr 8, 2006
  5. Mark
    Replies:
    0
    Views:
    927
Loading...

Share This Page