Dns And Nat - Cisco PIX 500 Series Configuration Manual

Security appliance command line

Hide thumbs Also See for PIX 500 Series:

Table of Contents

Configuring NAT

DNS and NAT

You might need to configure the security appliance to modify DNS replies by replacing the address in

the reply with an address that matches the NAT configuration. You can configure DNS modification

when you configure each translation.

For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the

inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address

(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see

inside users who have access to ftp.cisco.com using the real address receive the real address from the

DNS server, and not the mapped address.

When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with

the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside

server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply

modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing

ftp.cisco.com directly.

Figure 17-12

DNS Reply Modification

209.165.201.10

See the following command for this example:

hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255

17-12). In this case, you want to enable DNS reply modification on this static statement so that

DNS Reply Modification

ftp.cisco.com?

209.165.201.10

ftp.cisco.com

Static Translation

on Outside to:

209.165.201.10

Cisco Security Appliance Command Line Configuration Guide

NAT Overview

Asa 5500 series