Aug 16, 2011
tom

ASA 5505 :: Routed/NAT or Transparent mode for inside Web/DNS Server

Question

I just bought an ASA 5505 that my data center is setting up for me. They have told me that setting the ASA to routed with NAT will break Web/DNS server on inside network.

For example: WAN IP 66.xxx.47.x translated to LAN IP 192.168.0.1 on inside network will not provide WAN IP to the inside Web/DNS server, which apparently will break DNS — of course DC provides no other details.

Are most people providing web services behind an ASA set in Transparent mode?? Looks like transient mode has some drawbacks, not terminating VPN traffic being one of them.

Seems like routed/NAT is the most secure/versatile, but maybe I’m not seeing the benefits of transient mode, on the surface, seems like a quick & dirty way to get up & running, hopefully more than that.

Feedback appreciated, I have to make the call on this soon…

Thanks!

Answer

A typical static entry looks like this:

static (inside,outside) 66.1.47.1 192.168.0.2 netmask 255.255.255.255

If they program it through ASDM, it’ll typically throw in the dns part. This alters DNS replies coming from the outside. This is NOT what you want:

static (inside,outside) 66.1.47.1 192.168.0.2 netmask 255.255.255.255 dns

Get rid of that DNS statement and you should be fine

Transparent mode is pretty nice, but it removes a bunch of features from the ASA. Go with routed mode unless you have a reason to do otherwise.

Related posts:

  1. Cisco 5505 ASA firewall how to tell one interface to only allow connections from a specific IP address
  2. How to disable dns doctoring for IPSEC VPN connections for ASA 5510
  3. Is it possible to configure a DMZ zone on a Cisco ASA/PIX 515e device on “transparent mode”?
  4. Cisco ASA 5505 Config
  5. Basic ASA 5505/DHCP/Routing Help

Leave a comment