Configuring dns rewrite – Cisco ASA 5505 User Manual

Page 879

Advertising
background image

43-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

DNS Inspection

For details about the configuration required see the

“Configuring DNS Rewrite” section on page 43-3

.

DNS Rewrite performs two functions:

Translating a public address (the routable or “mapped” address) in a DNS reply to a private address
(the “real” address) when the DNS client is on a private interface.

Translating a private address to a public address when the DNS client is on the public interface.

In

Figure 43-1

, the DNS server resides on the external (ISP) network The real address of the server

(192.168.100.1) has been mapped using the static command to the ISP-assigned address
(209.165.200.5). When a web client on the inside interface attempts to access the web server with the
URL http://server.example.com, the host running the web client sends a DNS request to the DNS server
to resolve the IP address of the web server. The ASA translates the non-routable source address in the
IP header and forwards the request to the ISP network on its outside interface. When the DNS reply is
returned, the ASA applies address translation not only to the destination address, but also to the
embedded IP address of the web server, which is contained in the A-record in the DNS reply. As a result,
the web client on the inside network gets the correct address for connecting to the web server on the
inside network.

For configuration instructions for scenarios similar to this one, see the

“Configuring DNS Rewrite with

Two NAT Zones” section on page 43-4

.

Figure 43-1

Translating the Address in a DNS Reply (DNS Rewrite)

DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface. For an illustration and configuration instructions for this scenario, see the

“Overview of DNS Rewrite with Three NAT Zones” section on page 43-4

.

Configuring DNS Rewrite

You configure DNS rewrite using the NAT configuration.

This section includes the following topics:

Configuring DNS Rewrite with Two NAT Zones, page 43-4

Overview of DNS Rewrite with Three NAT Zones, page 43-4

Configuring DNS Rewrite with Three NAT Zones, page 43-6

132406

Web server

server.example.com

192.168.100.1

Web client

http://server.example.com

192.168.100.2

ISP Internet

DNS server

server.example.com IN A 209.165.200.5

Security appliance

192.168.100.1IN A 209.165.200.5

Advertising