Home / server / Questions / 164605
Accepted
virtualeyes
Asked: 2010-07-28 12:13:28 +0800 CST

ASA 5505 :: Routed/NAT or Transparent mode for inside Web/DNS Server

  • 772

I just bought an ASA 5505 that my data center is setting up for me. They have told me that setting the ASA to routed with NAT will break Web/DNS server on inside network.

For example: WAN IP address 66.xxx.47.x - translated to LAN IP address 192.168.0.1 on inside network - will not provide WAN IP to the inside Web/DNS server, which apparently will break DNS -- of course DC provides no other details.

Are most people providing web services behind an ASA set in Transparent mode?? Looks like transient mode has some drawbacks, not terminating VPN traffic being one of them.

Seems like routed/NAT is the most secure/versatile, but maybe I'm not seeing the benefits of transient mode, on the surface, seems like a quick & dirty way to get up & running, hopefully more than that.

Feedback appreciated, I have to make the call on this soon.

domain-name-system networking nat web-server cisco-asa

3 Answers

  1. ASA static entries let you use a "dns" manipulator which will rewrite the DNS response on the fly. If they are saying this is not possible they do not know what they are doing with the ASA.

    • 2
  2. Best Answer

    A typical static entry looks like this:

    static (inside,outside) 66.1.47.1 192.168.0.2 netmask 255.255.255.255

    If they program it through ASDM, it'll typically throw in the dns part. This alters DNS replies coming from the outside. This is NOT what you want:

    static (inside,outside) 66.1.47.1 192.168.0.2 netmask 255.255.255.255 dns

    Get rid of that DNS statement and you should be fine

    Transparent mode is pretty nice, but it removes a bunch of features from the ASA. Go with routed mode unless you have a reason to do otherwise.

    • 2

  3. It depends on what kind of DNS setup you have.

    We have our DNS servers and web servers behind an ASA 5510 using NAT.

    On the DNS server (BIND), we provide different information depending on which IP address the request comes from. This is Split-horizon DNS.

    If the request comes from inside, we reply with an internal IP.

    If the request comes from outside, we reply with an external IP.

    For example, if the request comes from a normal outside host, we reply with the 66.xxx.47.x IP of the webserver. However, if an internal host requests the IP, we reply with the 192.168.0.x IP of the webserver.

    Basically, it's completely possible to put your DNS and webservers behind an ASA using NAT as long as you configure your DNS server properly.

    • 1