Re: [OT] - ASA 8.3+ Twice NAT w/DNS doctoring vs ASA 8.2 Policy

my initial thought after reading is to have separate dns server either at
the original site or before the traffic is passed on to the new addresses.
i don't know if it would work.

On Thu, May 10, 2012 at 11:38 AM, Joseph L. Brunner <joe_at_affirmedsystems.com
> wrote:

> Can anyone think of way to get around this limitation?
>
> A local dns server at the original site? With different dns records?
>
> I have never used the dns stuff on the asa - too risky..
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ryan West
> Sent: Thursday, May 10, 2012 10:21 AM
> To: CCIE Lab (ccielab_at_groupstudy.com)
> Subject: [OT] - ASA 8.3+ Twice NAT w/DNS doctoring vs ASA 8.2 Policy
>
> I have a working scenario in 8.2 that I'm trying to verify into the 8.3+
> realm. Why did they change NAT again... if it was to beautify ASDM, why not
> change the way ASDM displays the NAT. Anyhow, back to the original issue.
>
> Customer A has been acquired and is now being split into different BU's.
> Their previous RFC1918 space is not permitted in the new environment and
> they will need to renumber. However, their production environment would
> require a huge overhaul, so we're stuck trying to support access to those
> devices through name resolution using their new permitted internal space
> and managing multiple DNS shifted copies of the domain is not a scalable
> option. So my initial thought was a DNS rewrite and attaching that to a
> policy NAT, while configuring a conditional forwarder. This works and is
> deterministic.
>
> Original range: 192.168.10.0/24
> New Allocated range: 10.130.10.0/24
>
> User1.domain1.com -> 192.168.10.50 needs to translate to 10.130.10.50 for
> both site to site traffic and name resolution
>
>
> Access-list policy-nat-domain1 permit ip 192.168.10.0 255.255.255.0
> 10.130.130.0 255.255.255.0
> static (inside,outside) 10.130.10.0 access-list policy-nat-domain1 dns
>
> I query remotely, pick up the new range, and traverse the tunnel. Now
> onto 8.4. From the 8.4 configuration guide:
>
> DNS-(Optional; for a source-only rule) The dns keyword translates DNS
> replies.
> Be sure DNS inspection is enabled (it is enabled by default). You cannot
> configure the dns keyword if you configure a destination address. See the
> "DNS and NAT" section for more information. [1]
>
> nat (inside,outside) source static obj-192.168.10.0 obj-10.130.10.0 ?
>
> configure mode commands/options:
> description Specify NAT rule description
> destination Destination NAT parameters
> dns Use the created xlate to rewrite DNS record
> inactive Disable a NAT rule
> no-proxy-arp Disable proxy ARP on egress interface
> route-lookup Perform route lookup for this rule
> service NAT service parameters
> unidirectional Enable per-session NAT
>
> nat (inside,outside) source static obj-192.168.10.0 obj-10.130.10.0
> destination static obj-10.130.130.0 obj-10.130.130.0 ?
>
> configure mode commands/options:
> description Specify NAT rule description
> inactive Disable a NAT rule
> no-proxy-arp Disable proxy ARP on egress interface
> route-lookup Perform route lookup for this rule
> service NAT service parameters
> unidirectional Enable per-session NAT
>
> So, it's been removed to help me with this note:
>
> If you configure a twice NAT rule, you cannot configure DNS modification
> if you specify the source address as well as the destination address. These
> kinds of rules can potentially have a different translation for a single
> address when going to A vs. B. Therefore, the ASA cannot accurately match
> the IP address inside the DNS reply to the correct twice NAT rule; the DNS
> reply does not contain information about which source/destination address
> combination was in the packet that prompted the DNS request. [2]
>
> Can anyone think of way to get around this limitation?
>
> This Polish guy thinks it's no good either, but no one responded to him :)
>
> http://ccie.pl/viewtopic.php?t=14690
>
> Thanks!
>
> -ryan
>
> [1]
>
> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_ru
> les.html#wp1416253
> [2]
>
> http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_ov
> erview.html#wp1090556
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu May 10 2012 - 13:01:44 ART