topic Hi Diego,Yes. DNS query will in Network Security

traffic between to private interfaces via NATed public interface on ASA

tato386 — Tue, 12 Mar 2019 06:45:15 GMT

I have an ASA with three interfaces which I will call public, internal1 and internal2. Security levels are 0 for public, 100 for internal1 and 90 for internal2. I have a few hosts on internal1 that have static NAT using public interface and rules to allow TCP80, 443, etc.

The internal1 machines exposed ports and services work fine from the Internet. However, they are not reachable from machines on internal2.

Below is some IP info that might make the setup easier to understand.

Machine on internal1 interface
private IP: 192.168.1.10 NAT to public IP 1.1.1.10

Machines on internal2 interface
private IPs: 192.168.11.XX PAT to public IP 1.1.1.20

ASA Interfaces
internal1: 192.168.1.1
internal2: 192.168.11.1
public: 1.1.1.1

So the flow would be that a client on internal2 using 192.168.11.xx is PATed to 1.1.1.20 and sent out the public IP of the ASA but must then come right back into the ASA on the same interface and be allowed to access 1.1.1.10 web site which resides on the internal1 interface machine with IP 192.168.1.10.

A packet trace from the ASA confirms that this is what is happening and it confirms that the packet is allowed but yet it doesn't work.

I am open to a different configuration but the only requirement is that internal2 be treated as non-trusted network and not be allowed full access to internal1. The unit is a 5515-X with 9.4.2.

Thanks,
Diego

Hi Diego,From the explanation

Akshay Rastogi — Thu, 15 Oct 2015 18:55:15 GMT

Hi Diego,

From the explanation, i could understand that the host from Internal2 want to access webserver on public IP which actually resides behind internal 1.

As it is dns doctoring scenario, you could try this :

object network obj-192.168.1.10

host 192.168.1.10

nat (internal1,outside) static 1.1.1.10 dns

object network obj-192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (internal2,outside ) dynamic 1.1.1.20

Alternatively, you could try this with Destination nat.

You could try the below type of configuration:

nat (internal2,internal1) source dynamic <object for 192.168.11.x > interface destination static <object-1.1.1.10> <object-192.168.1.10>

access-list test permit ip any any

access-group test in interface internal2

You could go through the link below :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc12

Regards,

Akshay Rastogi

Hello Akshay,The DNS

tato386 — Thu, 15 Oct 2015 19:19:38 GMT

Hello Akshay,

The DNS doctoring idea is interesting but I am not sure it will work in my scenario. It seems like you want the internal2 machines to get the private IP of the server when they query DNS. However they use a public DNS server so DNS queries will be between int_outside and internal2. If I turn on DNS doctoring it seems like it will only apply for DNS crossing between int_outside and internal1, no?

Rgds,

Diego

Hi Diego,Yes. DNS query will

Akshay Rastogi — Thu, 15 Oct 2015 19:48:54 GMT

Hi Diego,

Yes. DNS query will be between Internal2 and Outside. For DNS query, Internal1 Interface will not come into picture. The whole point behind enabling DNS doctoring is that when a reply DNS packet for Internal2's DNS query, ASA changes the A-Record of DNS(changes it to private) as per the nat statement and the traffic would be able to reach website internally.

Regards,

Akshay Rastogi

OK, I will give it a shot and

tato386 — Thu, 15 Oct 2015 19:52:17 GMT

OK, I will give it a shot and let you know.

Thanks

Akshay,I was finally able to

tato386 — Fri, 16 Oct 2015 21:03:36 GMT

Akshay,

I was finally able to get this to work. It took three changes:

1) DNS doctoring as per your recommendation to get internal2 machines to see the private ip of internal1 machines

2) Identity NAT for internal1 private subnet to internal2 private subnet

3) Change the implicit rule on internal1 and internal2 interfaces to be allow any

Thank you very much for your help.

Rgds.

Diego