Very creative use of secondary addresses! :) Regards,
------------------------------------ Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net ------------------------------------ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Yourtchenko Sent: Friday, July 17, 2009 2:28 PM To: Clue Store Cc: [email protected] Subject: Re: [c-nsp] ASA Static Translations / DNS Doctoring On Fri, 17 Jul 2009, Clue Store wrote: > Hi All, > > I'm trying to do DNS doctoring on an asa and for specific reasons I need to > map several different (public) outside IP's the one inside ip as shown > below. > > *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255 > dns* > *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255 > dns* With "static (inside,outside) AddrPublic AddrPrivate netmask 255.255.255.255 dns" in the config, you're saying: 1) when anyone tries to talk to AddrPublic from the outside, they will get to AddrPrivate on the inside 2) when AddrPrivate tries to talk to anyone on the outside, it will be seen there as AddrPublic 3) the DNS response containing AddrPrivate or AddrPublic, depending on where it is arriving, will have this address translated accordingly. (so the DNS server on the outside replying AddrPublic to someone on inside, will have this translated to AddrPrivate; and inside DNS server which replies the AddrPrivate to the outside, will have it translated to AddrPublic.) The (3) is what the "dns" keyword turns on when it is present. The symmetry of the behaviour prevents having 'many to one' behaviour that you are looking for - because then it would encounter the conflict or unpredictability when going outbound. The simplest way around is to grab a few secondary rfc1918 addresses and assign them to the host and do the mapping between those and the public addresses. For your /27 case, having 30 secondaries does not look terribly exciting, but assuming the host can survive that, it should do the trick. cheers, andrew _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
