As we know the Cisco ASA supports DHCP server feature but not the DNS server. The reason behind this would be to have less services running on the appliance that would expose any potential vulnerabilities that would be exploited which would turn in successful threats, especially when the running services are interacting directly with the internet. A scenario where having a DNS server running on the ASA would be handy would be when the DHCP server is running on the same appliance, and where the DNS server in use would be a public DNS, but to be honest the fact that the ASA does not support the DNS server is not an issue at all, because you can still push an external DNS server IP address through the DHCP lease managed by the ASA. However, let’s say hypothetically your requirement is to use the ASA as you DNS server for the hosts located on your internal segment, would that be possible? the answer is yes & no :). Although the ASA will never be acting as a real DNS server, you can still apply a little trick with NAT that would make the ASA to result as your hosts DNS server. From the hosts perspective they would think that the DNS server is the ASA, however, in reality the ASA would be just acting as a transporter of DNS requests between the internal hosts and the external public DNS server. Here is the trick of how you can accomplish this.
In this post I’m going to talk about NAT exemption. As we know NAT plays a very important role in our networks today, however, with all the benefits we get from NAT’ing, sometimes we don’t need it, or more specifically we need to bypass it. A common case scenario would be for VPN traffic where we don’t want to translate the original IP addresses. In this post I’m going to show you how to exempt NAT by applying a tricky configuration on IOS without having to go through the common way of doing it.