DNS over NAT on separate subnets

I don't believe that this is possible, but I thought I would check. The
scenario is this.

Subnet 1 206.15.87.x/24 Multiple W2K3 AD domain controllers and other
windows boxes. All work correctly and ultimately NAT via Cisco ASA to
internet (no problems at this site all OK DNS stable)

Subnet 2 connected over wireless radio to the inside of network 206.15.87.x
not through outside internet line our over Cisco ASA. This site has IP's
11.50.200.x/24 and is NAT'd for security reasons to 206.15.87.10. with
another Cisco ASA at subnet 2 site. This segment can browse all of
206.15.87.x network and can hit internet via the NAT'd Cisco ASA at subnet 1

The problem I want to add a W2K3 domain controller at subnet 2 If I do, it
will report it's DNS as 11.50.200.200 since this is its actual IP. This will
work for subnet 2, but will cause problems at subnet 1 since this subnet
knows nothing about the 11.50.200.x network. If I change the DNS entry for
the server at subnet 2, then subnet 1 will be able to find the server, but
clients at subnet 2 will fail, since the address is the outsid NAT'd address.

Really don't know how to get around this, or if I should even try!

Maybe a Site to Site VPN between the DCs.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"(E-Mail Removed)" <(E-Mail Removed)> wrote in
message news:72E6225C-EE3B-45D8-B35A-(E-Mail Removed)...
> I don't believe that this is possible, but I thought I would check. The
> scenario is this.
>
> Subnet 1 206.15.87.x/24 Multiple W2K3 AD domain controllers and other
> windows boxes. All work correctly and ultimately NAT via Cisco ASA to
> internet (no problems at this site all OK DNS stable)
>
> Subnet 2 connected over wireless radio to the inside of network
206.15.87.x
> not through outside internet line our over Cisco ASA. This site has IP's
> 11.50.200.x/24 and is NAT'd for security reasons to 206.15.87.10. with
> another Cisco ASA at subnet 2 site. This segment can browse all of
> 206.15.87.x network and can hit internet via the NAT'd Cisco ASA at subnet
1
>
> The problem I want to add a W2K3 domain controller at subnet 2 If I do,
it
> will report it's DNS as 11.50.200.200 since this is its actual IP. This
will
> work for subnet 2, but will cause problems at subnet 1 since this subnet
> knows nothing about the 11.50.200.x network. If I change the DNS entry for
> the server at subnet 2, then subnet 1 will be able to find the server, but
> clients at subnet 2 will fail, since the address is the outsid NAT'd
address.
>
> Really don't know how to get around this, or if I should even try!

Of course this would resolve the issue, but we need to be able to control
access from the segment, and normally the site to site VPN is meant to allow
all resources across both segments. Basically the issue is that these are
Governmental agencies that want connectivity, but don't trust cross
connectivity to the entire IP segments.

Thanks for the reply.

"Doug Sherman [MVP]" wrote:

> Maybe a Site to Site VPN between the DCs.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "(E-Mail Removed)" <(E-Mail Removed)> wrote in
> message news:72E6225C-EE3B-45D8-B35A-(E-Mail Removed)...
> > I don't believe that this is possible, but I thought I would check. The
> > scenario is this.
> >
> > Subnet 1 206.15.87.x/24 Multiple W2K3 AD domain controllers and other
> > windows boxes. All work correctly and ultimately NAT via Cisco ASA to
> > internet (no problems at this site all OK DNS stable)
> >
> > Subnet 2 connected over wireless radio to the inside of network
> 206.15.87.x
> > not through outside internet line our over Cisco ASA. This site has IP's
> > 11.50.200.x/24 and is NAT'd for security reasons to 206.15.87.10. with
> > another Cisco ASA at subnet 2 site. This segment can browse all of
> > 206.15.87.x network and can hit internet via the NAT'd Cisco ASA at subnet
> 1
> >
> > The problem I want to add a W2K3 domain controller at subnet 2 If I do,
> it
> > will report it's DNS as 11.50.200.200 since this is its actual IP. This
> will
> > work for subnet 2, but will cause problems at subnet 1 since this subnet
> > knows nothing about the 11.50.200.x network. If I change the DNS entry for
> > the server at subnet 2, then subnet 1 will be able to find the server, but
> > clients at subnet 2 will fail, since the address is the outsid NAT'd
> address.
> >
> > Really don't know how to get around this, or if I should even try!
>
>
>

This really depends on the ASA config. You can either hide or not hide
servers and it's services (with NAT and ACls). The best way to do this is
use an interface on 1 ASA as a DMZ interface and put the wireless out there.
Then you can create the proper statics and ACL's for communication and
access to resources.


"(E-Mail Removed)" <(E-Mail Removed)> wrote in
message news:72E6225C-EE3B-45D8-B35A-(E-Mail Removed)...
> I don't believe that this is possible, but I thought I would check. The
> scenario is this.
>
> Subnet 1 206.15.87.x/24 Multiple W2K3 AD domain controllers and other
> windows boxes. All work correctly and ultimately NAT via Cisco ASA to
> internet (no problems at this site all OK DNS stable)
>
> Subnet 2 connected over wireless radio to the inside of network
206.15.87.x
> not through outside internet line our over Cisco ASA. This site has IP's
> 11.50.200.x/24 and is NAT'd for security reasons to 206.15.87.10. with
> another Cisco ASA at subnet 2 site. This segment can browse all of
> 206.15.87.x network and can hit internet via the NAT'd Cisco ASA at subnet
1
>
> The problem I want to add a W2K3 domain controller at subnet 2 If I do,
it
> will report it's DNS as 11.50.200.200 since this is its actual IP. This
will
> work for subnet 2, but will cause problems at subnet 1 since this subnet
> knows nothing about the 11.50.200.x network. If I change the DNS entry for
> the server at subnet 2, then subnet 1 will be able to find the server, but
> clients at subnet 2 will fail, since the address is the outsid NAT'd
address.
>
> Really don't know how to get around this, or if I should even try!

If you don't configure routes on the routers or the clients, the only
machines which will use the VPN are the DCs.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"(E-Mail Removed)" <(E-Mail Removed)> wrote in
message news:6C94BEAD-FD36-4C71-A2DB-(E-Mail Removed)...
> Of course this would resolve the issue, but we need to be able to control
> access from the segment, and normally the site to site VPN is meant to
allow
> all resources across both segments. Basically the issue is that these are
> Governmental agencies that want connectivity, but don't trust cross
> connectivity to the entire IP segments.
>
> Thanks for the reply.
>
> "Doug Sherman [MVP]" wrote:
>
> > Maybe a Site to Site VPN between the DCs.
> >
> > Doug Sherman
> > MCSE, MCSA, MCP+I, MVP
> >
> > "(E-Mail Removed)" <(E-Mail Removed)> wrote
in
> > message news:72E6225C-EE3B-45D8-B35A-(E-Mail Removed)...
> > > I don't believe that this is possible, but I thought I would check.
The
> > > scenario is this.
> > >
> > > Subnet 1 206.15.87.x/24 Multiple W2K3 AD domain controllers and other
> > > windows boxes. All work correctly and ultimately NAT via Cisco ASA to
> > > internet (no problems at this site all OK DNS stable)
> > >
> > > Subnet 2 connected over wireless radio to the inside of network
> > 206.15.87.x
> > > not through outside internet line our over Cisco ASA. This site has
IP's
> > > 11.50.200.x/24 and is NAT'd for security reasons to 206.15.87.10. with
> > > another Cisco ASA at subnet 2 site. This segment can browse all of
> > > 206.15.87.x network and can hit internet via the NAT'd Cisco ASA at
subnet
> > 1
> > >
> > > The problem I want to add a W2K3 domain controller at subnet 2 If I
do,
> > it
> > > will report it's DNS as 11.50.200.200 since this is its actual IP.
This
> > will
> > > work for subnet 2, but will cause problems at subnet 1 since this
subnet
> > > knows nothing about the 11.50.200.x network. If I change the DNS entry
for
> > > the server at subnet 2, then subnet 1 will be able to find the server,
but
> > > clients at subnet 2 will fail, since the address is the outsid NAT'd
> > address.
> > >
> > > Really don't know how to get around this, or if I should even try!
> >
> >
> >