NAT Overview
DNS and NAT
You might need to configure the FWSM to modify DNS replies by replacing the address in the reply with
an address that matches the NAT configuration. You can configure DNS modification when you
configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.example.com, is on the
inside interface. You configure the FWSM to statically translate the ftp.example.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. (See
Figure
inside users who have access to ftp.example.com using the real address receive the real address from the
DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.example.com, the DNS server replies
with the mapped address (209.165.201.10). The FWSM refers to the static statement for the inside server
and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply
modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing
ftp.example.com directly.
Note
A route needs to exist for the real IP address embedded in the DNS query response or the FWSM will
not NAT it. The necessary route can be learned via static routing or by any other routing protocol, such
as RIP or OSPF.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-16
a static route to the mapped addresses that are destined to the mapped interface IP, and then
redistribute this static route in OSPF. If the mapped interface is passive (not advertising routes) or
you are using static routing, then you need to add a static route on the upstream router that sends
traffic destined for the mapped addresses to the FWSM.
16-12.) In this case, you want to enable DNS reply modification on this static statement so that
Chapter 16
Configuring NAT
OL-20748-01