Lessons learnt : ASA 8.4 and NAT rules

– DNS doctoring via NAT policies

DNS doctoring is an ASA feature wherein a client sends a DNS request for a particular website, say http://www.example.com. This DNS request gets inspected by the ASA, and the ASA can then control which IP gets returned to the client (in essence the ASA acts as a DNS proxy). This is useful in situations like accessing an internal server directly via it’s private IP, rather than implementing a NAT loopback policy. When configuring DNS doctoring, ensure that:

1. A DNS inspection policy exists and is applied to the appropriate interface
2. The NAT policy must be static and contain only source objects, for example:

original src = http://www.bluecoat.com
translated src = privateSite

the above will change dns responses for http://www.bluecoat.com to the privateSite address. Note, both are inserted into the source fields of the NAT entry. For the destination fields, these should be left as “any”

 

NAT over VPN site-to-site

When using NAT and VPN site-to-site tunnels in, v8.4, do not configure any overlapping rules, as they will conflict and not give the proper NATting. NAT over VPN tunnels is useful when you need to hide your internal IP addressing scheme from the other side for some reason (eg access lists or overlapping IPs). For example, having the following:

1. ORIG SRC: David_PC, ORIG DST: remote_VPN, TRANSLATED SRC: David_PC_Hidden, TRANSLATED DST: original 
2. ORIG SRC: any, ORIG DST: remote_VPN, do not NAT, and vice versa

the above WILL NOT WORK – no NAT , even though the more specific rule is above the more generic rule. For the above to work, the second NAT rule must be more specific, for example:

2. ORIG SRC: internal_lan_subnet, ORIG DST: remote_VPN, do not NAT, and vice versa