Configuring dns rewrite with three nat zones – Cisco ASA 5505 User Manual

Page 882

Advertising
background image

43-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

DNS Inspection

3.

The ASA receives the DNS reply and submits it to the DNS application inspection engine.

4.

The DNS application inspection engine does the following:

a.

Searches for any NAT rule to undo the translation of the embedded A-record address
“[outside]:209.165.200.5”. In this example, it finds the following static configuration:

object network obj-192.168.100.10-01

host 192.168.100.10

nat (dmz,outside) static 209.165.200.5 dns

b.

Uses the static rule to rewrite the A-record as follows because the dns option is included:

[outside]:209.165.200.225 --> [dmz]:192.168.100.10

Note

If the dns option were not included with the nat command, DNS Rewrite would not be
performed and other processing for the packet continues.

c.

Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
communicating with the inside web client.

No NAT rule is applicable, so application inspection completes.

If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step

b

would be reverted and other processing

for the packet continues.

5.

The ASA sends the HTTP request to server.example.com on the DMZ interface.

Configuring DNS Rewrite with Three NAT Zones

To enable the NAT policies for the scenario in

Figure 43-2

, perform the following steps:

Step 1

Create a static translation for the web server on the DMZ network using the dns option. See

Chapter 30,

“Configuring Network Object NAT.”

Step 2

Create an access list that permits traffic to the port that the web server listens to for HTTP requests.

hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port

where the arguments are as follows:

acl-name—The name you give the access list.

mapped-address—The translated IP address of the web server.

port—The TCP port that the web server listens to for HTTP requests.

Step 3

Apply the access list created in

Step 2

to the outside interface. To do so, use the access-group command,

as follows:

hostname(config)# access-group acl-name in interface outside

Step 4

If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the

“Configuring a DNS Inspection Policy Map for Additional

Inspection Control” section on page 43-7

.

Step 5

On the public DNS server, add an A-record for the web server, such as:

domain-qualified-hostname. IN A mapped-address

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals