Configure Destination NAT with DNS Rewrite
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Configure Destination NAT with DNS Rewrite
Create a destination NAT policy rule for static translation
that also rewrites the IPv4 address in a DNS response based on the original
or translated destination address of the NAT rule.
When you configure a destination NAT policy
rule that performs static translation of IPv4 addresses, you can
also configure the rule so that the firewall rewrites the IPv4 address
in a DNS response based on the original or translated IP address
configured for the rule. The firewall performs NAT on the IPv4 address
(the FQDN resolution) in a DNS response (that matches the rule)
before forwarding the response to the client; thus, the client receives
the appropriate address to reach the destination service.
View
the DNS rewrite use
cases to help you determine whether to specify that the rewrite
occur in the
reverse
or forward
direction.You
cannot enable
Bi-directional
source address
translation in the same NAT rule where you enable DNS rewrite.- Create a destination NAT policy rule that specifies the firewall perform static translation of IPv4 addresses that match the rule, and also specifies the firewall rewrite IP addresses in DNS responses when that IPv4 address (from the A Record) matches the original or translated destination address in the NAT rule.
- SelectandPoliciesNATAdda NAT policy rule.
- (Optional) On theGeneraltab, enter a descriptiveNamefor the rule.
- ForNAT Type, selectipv4.
- On theOriginal Packettab,AddaDestination Address.You will also have to select a Source Zone orAnysource zone, but DNS rewrite occurs at the global level; only the Destination Address on the Original Packet tab is matched. DNS Rewrite ignores all other fields on the Original Packet tab.
- On theTranslated Packettab, for Destination Address Translation, selectTranslation Typeto beStatic IP.
- Select aTranslated Addressor enter a new address.
- Enable DNS Rewriteand select aDirection:
- Selectreverse(default) when the IP address in the DNS response requires the opposite translation that the NAT rule specifies. If the DNS response matches theTranslatedDestination Address in the rule, translate the DNS response using the reverse translation that the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
- Selectforwardwhen the IP address in the DNS response requires the same translation that the NAT rule specifies. If the DNS response matches theOriginalDestination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
- ClickOK.
- Commityour changes.