Figure 43-2 – Cisco ASA 5505 User Manual

Page 881

Advertising
background image

43-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

DNS Inspection

Figure 43-2

DNS Rewrite with Three NAT Zones

In

Figure 43-2

, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ

interface of the ASA. A web client with the IP address 10.10.10.25 is on the inside interface and a public
DNS server is on the outside interface. The site NAT policies are as follows:

The outside DNS server holds the authoritative address record for server.example.com.

Hosts on the outside network can contact the web server with the domain name server.example.com
through the outside DNS server or with the IP address 209.165.200.5.

Clients on the inside network can access the web server with the domain name server.example.com
through the outside DNS server or with the IP address 192.168.100.10.

When a host or client on any interface accesses the DMZ web server, it queries the public DNS server
for the A-record of server.example.com. The DNS server returns the A-record showing that
server.example.com binds to address 209.165.200.5.

When a web client on the outside network attempts to access http://server.example.com, the sequence of
events is as follows:

1.

The host running the web client sends the DNS server a request for the IP address of
server.example.com.

2.

The DNS server responds with the IP address 209.165.200.225 in the reply.

3.

The web client sends its HTTP request to 209.165.200.225.

4.

The packet from the outside host reaches the ASA at the outside interface.

5.

The static rule translates the address 209.165.200.225 to 192.168.100.10 and the ASA directs the
packet to the web server on the DMZ.

When a web client on the inside network attempts to access http://server.example.com, the sequence of
events is as follows:

1.

The host running the web client sends the DNS server a request for the IP address of
server.example.com.

2.

The DNS server responds with the IP address 209.165.200.225 in the reply.

132407

Web client

10.10.10.25

Web server

192.168.100.10

DNS server

erver.example.com IN A 209.165.200.5

Security

appliance

Outside

DMZ
192.168.100.1

10.10.10.1

Inside

99.99.99.2

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals