Hi Andrew, Thanks for the reply. I understand the static function which was why I was asking if there was a to do DNS doctoring via another method instead of the static command. I take it that the answer is no. I also have the option of mapping all domains to one public, but this at the administrators request that it be done like this, so I do not have many options.
Anyways, I think your idea of using some secondary addresses might be my easiest path. I just have to make sure I have enough on the inside to pull it off. Thanks, Clue On Fri, Jul 17, 2009 at 1:27 PM, Andrew Yourtchenko <[email protected]>wrote: > On Fri, 17 Jul 2009, Clue Store wrote: > > Hi All, >> >> I'm trying to do DNS doctoring on an asa and for specific reasons I need >> to >> map several different (public) outside IP's the one inside ip as shown >> below. >> >> *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255 >> dns* >> *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255 >> dns* >> > > With "static (inside,outside) AddrPublic AddrPrivate netmask > 255.255.255.255 dns" in the config, > > you're saying: > > 1) when anyone tries to talk to AddrPublic from the outside, they will get > to AddrPrivate on the inside > 2) when AddrPrivate tries to talk to anyone on the outside, it will be seen > there as AddrPublic > 3) the DNS response containing AddrPrivate or AddrPublic, depending on > where it is arriving, will have this address translated accordingly. (so the > DNS server on the outside replying AddrPublic to someone on inside, will > have this translated to AddrPrivate; and inside DNS server which replies the > AddrPrivate to the outside, will have it translated to AddrPublic.) > > The (3) is what the "dns" keyword turns on when it is present. > > The symmetry of the behaviour prevents having 'many to one' behaviour that > you are looking for - because then it would encounter the conflict or > unpredictability when going outbound. > > The simplest way around is to grab a few secondary rfc1918 addresses and > assign them to the host and do the mapping between those and the public > addresses. > > For your /27 case, having 30 secondaries does not look terribly exciting, > but assuming the host can survive that, it should do the trick. > > cheers, > andrew > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
