Determining the egress interface, Dns and nat, Transparent mode routing requirements for remote – Cisco ASA 5505 User Manual
Page 578
29-24
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
DNS and NAT
Transparent Mode Routing Requirements for Remote Networks
If the ASA performs NAT for a host that is not on the directly-connected network, then you need to
configure a static route on the ASA for that network. You also need to have a static route for embedded
IP addresses that are at least one hop away from the ASA (such as in VoIP or DNS traffic) when you
have inspection and NAT enabled.
Determining the Egress Interface
In transparent mode, the ASA determines the egress interface for a NAT packet by using the NAT
configuration; you must specify the source and destination interfaces as part of the NAT configuration.
In routed mode, the ASA determines the egress interface for a NAT packet in the following way:
•
If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses
a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default
behavior is to use the NAT configuration, but you have the option to always use a route lookup
instead.
•
If you do not specify a specific interface, then the ASA uses a route lookup to determine the egress
interface.
DNS and NAT
You might need to configure the ASA to modify DNS replies by replacing the address in the reply with
an address that matches the NAT configuration. You can configure DNS modification when you
configure each translation rule.
This feature rewrites the A record, or address record, in DNS replies that match a NAT rule. For DNS
replies traversing from a mapped interface to any other interface, the A record is rewritten from the
mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped
interface, the A record is rewritten from the real value to the mapped value.
Note
If you configure a twice NAT rule, you cannot configure DNS modification if you specify the source
address as well as the destination address. These kinds of rules can potentially have a different
translation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match the
IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not contain
information about which source/destination address combination was in the packet that prompted the
DNS request.
shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com,
is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you
want to enable DNS reply modification on this static rule so that inside users who have access to
ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped
address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server
replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server