DNS query to internal DNS server from static NAT host

Discussion in 'Cisco' started by none, Apr 24, 2006.

  1. none

    none Guest

    I had my workstation setup on a static NAT address with the following ...

    static (inside,outside) 1.2.3.4 10.16.61.247 netmask 255.255.255.255

    and the following ACL applied to the outside interface ...

    access-list outside_access_in extended permit tcp any host 1.2.3.4 eq
    3389

    under PIX 7.0 software - with this in place my workstation can't do a
    DNS lookup using an internal DNS server.

    What do I need to make this work? I have a very similar setup in PIX 6.3
    working.

    TIA
     
    none, Apr 24, 2006
    #1
    1. Advertisements

  2. none

    info Guest

    You weren't very clear here as to whether you workstation and DNS
    server are on the Inside or Outside.
    Also note that although there is an explicit PERMIT from a higher
    security interface (Inside) to lower security (Outside), if you have
    any ACL applied inbound on the Inside then that explicit PERMIT is
    gone. You have to allow the DNS (UDP 53) in your ACL.
    http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/intparam.htm#wp1043290

    Steve Griffin
    www.blueconsole.com (Bluetooth Wireless Console Cable)
     
    info, Apr 24, 2006
    #2
    1. Advertisements

  3. none

    none Guest

    DNS and workstation are both inside - and a "permit ip any any" ACL is
    applied in to the inside interface.
     
    none, Apr 24, 2006
    #3
  4. none

    none Guest

    Found the fix ...

    Needed this instead

    static (inside,outside) tcp 1.2.3.4 3389 10.16.61.247 3389 netmask
    255.255.255.255

    Thanks!
     
    none, Apr 24, 2006
    #4
  5. none

    rave Guest

    this cannot be the fix. what you are doing here is port redirection.
    earlier you were mapping a one to one ip.
    this cannot be the fix, you are missing something here.
     
    rave, Apr 24, 2006
    #5
  6. none

    none Guest

    Thanks for making me think harder on why it worked ...

    Yes it resolved my problem but I actually originally misdiagnosed the
    problem, as it looked like a DNS issue because that's the error I got back
    from my browser (stupid Micro$oft browser!) - actually the DNS lookup was
    working - it was the return of the web page to my desktop that was not
    being allowed to come back because the only inbound port open was
    3389.

    PAT is actually what I wanted to do - I'm not sure how I got the original
    statement - I must have been half asleep while doing the configuration
    yesterday.
     
    none, Apr 25, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.