RE: Cisco ASA Static and IOS NAT

From: Marcin Zgola <MZgola_at_netrixllc.com>
Date: Sat, 4 Dec 2010 20:53:03 +0000

Thanks guys

Tyson Scott <tscott_at_ipexpert.com> wrote:

But one very important note. The DNS server must also be a NAT'ed address.
If you communicate to the real address of the DNS server thru the IOS NAT
the A Record will not be translated. If the DNS server address is also
NAT'ed then the A record will be checked against the NAT table and
translated if necessary.

Cat3(config)#do p r8.ipexpert.com

Translating "r8.ipexpert.com"...domain server (74.126.20.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
Cat3(config)#do p r7.ipexpert.com

Translating "r7.ipexpert.com"...domain server (74.126.20.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
..
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Cat3(config)#no ip name-server 74.126.20.8
Cat3(config)#ip name-server 74.126.20.18
Cat3(config)#do p r8.ipexpert.com

Translating "r8.ipexpert.com"...domain server (74.126.20.18) [OK]

Translating "r8.ipexpert.com"...domain server (74.126.20.18) [OK]

Translating "r8.ipexpert.com"...domain server (74.126.20.18) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.126.20.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
Cat3(config)#do p r7.ipexpert.com

Translating "r7.ipexpert.com"...domain server (74.126.20.18) [OK]

Translating "r7.ipexpert.com"...domain server (74.126.20.18) [OK]

Translating "r7.ipexpert.com"...domain server (74.126.20.18) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.126.20.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Cat3(config)#

BR2(config)#do srs ip nat
 ip nat inside
 ip nat outside
ip nat inside source static 7.7.7.7 74.126.20.17
ip nat inside source static 8.8.8.8 74.126.20.18
BR2(config)#

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Piotr Matusiak
Sent: Saturday, December 04, 2010 9:34 AM
To: Marcin Zgola
Cc: ccielab_at_groupstudy.com
Subject: Re: Cisco ASA Static and IOS NAT

It happens by default for static NAT. For instance, this feature is used in
overlapping networks scenario.

HTH, 

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/12/4 Marcin Zgola <MZgola_at_netrixllc.com>
> To avoid DNS problems on asa where external DNS lookup is required and a
> host is located locally we can use "dns" with static on ASA/
> Example:
>
> static (inside,outsde) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 dns
>
> question, is there a "dns" functionality on IOS when doing ip nat?
>
>
>
> Marcin Zgola
> Internetwork Lead
> CCIE #18676
> Netrix, LLC
> http://www.netrixllc.com
> Ph. 847-964-5300
> Fax.: 847-964-5350
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Dec 04 2010 - 20:53:03 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART