Hi,
we have a website(example.com) running inside our organisation , and a Public to private static NAT configured in our vSRX (103.10.10.10 - > 10.100.100.10), all the outside internet users can access the website (example.com) which is translating to public ip 103.10.10.10.
The issue now is for the internal users , when they are trying to access this internal website (example.com) it resolves to public ip 103.10.10.10 , and it doesnt work.
Please note that we dont have any DNS server internally , using google dns 8.8.8.8 and vSRX is running 21.4R3.15
in this situation , i think DNS doctoring needs to be implemented , which can resolve the domain example.com to internal ip(10.100.100.10) instead of Public IP for the internal users.
Following is my configuration , could you help me to fix this issue.
Static NAT
***************
set security address-book global address INTERNAL_SUBNET 10.100.100.0/24
set security address-book global address h-10.100.100.10 10.100.100.10/32
set security nat destination pool web1 address 10.100.100.10/32
set security nat destination rule-set rs1 rule 10 match destination-address 103.10.10.10/32
set security nat destination rule-set rs1 rule 10 then destination-nat pool web1
Security rule
*****************
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match source-address any
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match destination-address h-10.100.100.10
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match application http
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 match application https
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then permit
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then log session-init
set security policies from-zone SL-PUBLIC to-zone SL-PRIVATE policy INTERNET-WEB1 then log session-close
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match source-address INTERNAL_SUBNET
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match destination-address any
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet match application junos-dns-udp
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then permit
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then log session-init
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet then log session-close
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match source-address INTERNAL_SUBNET
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match destination-address any
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 match application any
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then permit
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then log session-init
set security policies from-zone SL-PRIVATE to-zone SL-PUBLIC policy Dnat-Internet-2 then log session-close
root@myfw-vsrx-vSRX> show security alg status
ALG Status:
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Disabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Disabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
TWAMP : Disabled
Regards,
Ali