Cisco ASA DNS doctoring/Guest wireless with external DNS

Recently, I setup a guest wireless network with external DNS. Clients were able to browse the Internet fine however, they were not able to access my company’s website. The problem I was facing was the external DNS was providing me with a public IP address to access my website. Technically I am an internal client within the network. I could change my host file and it would all work well but this was not a solution. I then came across the below website which introduced me to DNS doctoring.

http://www.hackandtinker.net/2013/08/22/guest-wireless-access-with-external-dns-while-maintaining-access-to-the-local-dmz/

By default, the Cisco ASA does not allow packets to return on the same interface it went out on. DNS doctoring allows the ASA to rewrite DNS A-records. DNS doctoring intercepts a return response from the outside DNS server and converts it to a private IP accessible by the guest client. Cisco states that DNS inspection must be enabled to perform DNS doctoring on the Cisco ASA.

For this to work, edit the required NAT statement and select the advanced button. In the Advanced NAT settings, select ‘Translate DNS replies for rule.’ You should now be able to browse to your company website using the guest wireless configured for external DNS.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s