Using NAT during a DNS server or network device transition
My original DNS server will be phase out soon (IP address 10.1.0.1). I have my new DNS server (AD integrated) setup on another segment (IP address 10.2.0.1. Therefore, I have to update all the DNS IP address of all my network devices to the new DNS IP address. This is a very time-consuming and prone to error and omission.
Alternative, we can use NAT to redirect all DNS request destined for my old DNS server to my new DNS server.
I have do some research on
Cisco Way
Juniper ScreenOS - NAT
I cannot use Cisco way because I have only a L3 switch which does not support ip nat command (a Cisco 4507 with a Sup 6-E supervisor).
I have a SSG550 with ScreenOS 6.2.0 (r 5.0). There are a lot of ways to accomplish the task. I have tried to follow KB4740 to succesfully NAT my new DNS server. (Trick: For step 9, you need to wait for the service goes from “Down” to “OK” before proceed. The waiting time may be half minute to 3 minutes.)
Alternaively, I choose to use VIP + DNAT + SNAT to accomplish my task.
You can verify your setup with NSLOOKUP.
Alternative, we can use NAT to redirect all DNS request destined for my old DNS server to my new DNS server.
I have do some research on
Cisco Way
Juniper ScreenOS - NAT
I cannot use Cisco way because I have only a L3 switch which does not support ip nat command (a Cisco 4507 with a Sup 6-E supervisor).
I have a SSG550 with ScreenOS 6.2.0 (r 5.0). There are a lot of ways to accomplish the task. I have tried to follow KB4740 to succesfully NAT my new DNS server. (Trick: For step 9, you need to wait for the service goes from “Down” to “OK” before proceed. The waiting time may be half minute to 3 minutes.)
Alternaively, I choose to use VIP + DNAT + SNAT to accomplish my task.
- Shutdown the old server (to prevent IP address conflict)
- Login to Netscreen admin
- Go to Network – Interfaces
- Edit the corresponding interface (which interface your old DNS server sit with)
- Click “VIP”
- Enter the old server IP address as Virtual IP address. Then click “Add” button
- Go to Policy – Policies
- Select appropriate zone (in my case: From Trust to Trust) (Assume new and old servers are in same security zone, but in different VLAN)
- Click New
- Enter Source Address = Any
- Enter Destination Address = Your old server IP
- For Service, we can enter only DNS or ANY.
- Click “Advanced” for NAT option
- Enable both Source Translation and Destination Translation
- Enter the new IP address in “Translate to IP”
- Click OK to save. A new Policy is added.
You can verify your setup with NSLOOKUP.
Comments