topic ASA DNS Modification is not working on 8.4(3) in Network Security

ASA DNS Modification is not working on 8.4(3)

rd9978 — Mon, 11 Mar 2019 23:33:49 GMT

Hi,

I have a server (172.16.10.1) inside the LAN and IP of the server has been maped to public IP 41.219.130.10.

Topology

Server(172.16.10.1)

DNS Server (8.8.8.8) ----- Outside ASA Inside ----------- |

User (192.168.1.x)

Users are using Public DNS Server to resolve the domain. In this case, users will resolve the server domain to public IP address 41.219.130.10 instead of 172.16.10.1 that cause the server is unreachable for the users by default.

So I enable DNS modification feature on ASA. DNS keyword has been add to static NAT clause. ASA suppose to modify the DNS record to change the public IP to private IP address. But it is not working.

Please help me to check if my command is right or completed. Thank you very much.

access-list inside_acl extended permit udp any host 8.8.8.8 eq 53

access-list outside_acl extended permit tcp any host 41.219.130.10

access-group inside_acl in interface inside

access-group inside_acl in interface outside

object network CARE-SERVER

host 172.16.10.1

nat (inside,outside) static 41.219.130.10 dns

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http allow-url-policy

inspect dns

service-policy global_policy global

ASA DNS Modification is not working on 8.4(3)

Jennifer Halim — Mon, 23 Jul 2012 17:15:43 GMT

The access-list should be pointing towards the real address instead of the mapped address as follows:

access-list outside_acl extended permit tcp any host 172.16.10.1

ASA DNS Modification is not working on 8.4(3)

rd9978 — Mon, 23 Jul 2012 17:37:13 GMT

Thanks. Jennifer.

access-list outside_acl extended permit tcp any host 172.16.10.1

Yes. I have added this clause. But it is still not working. Seem like ASA does not inpsect DNS.

PNNDC-ASA5520# show service-policy inspect dns

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns _default_dns_map, packet 0, drop 0, reset-drop 0

dns-guard, count 0

protocol-enforcement, drop 0

nat-rewrite, count 0

I don't why there is no DNS packet inspected. But DNS inpsection has been enable at Global.

ASA DNS Modification is not working on 8.4(3)

Jennifer Halim — Tue, 24 Jul 2012 01:54:51 GMT

Have you also flush the DNS entries within your PC cache?

ASA DNS Modification is not working on 8.4(3)

rd9978 — Tue, 24 Jul 2012 07:46:30 GMT

Yes. I have tried at 3 PC and routers also.

But ASA didn't inpsect any DNS packet.

ASA DNS Modification is not working on 8.4(3)

Jennifer Halim — Tue, 24 Jul 2012 08:29:45 GMT

And it definitely uses the public DNS server? and the DNS request is actually going through the ASA not other gateway?

Did you try NSLOOKUP or you try to browse to the URL?

ASA DNS Modification is not working on 8.4(3)

rd9978 — Tue, 24 Jul 2012 09:40:33 GMT

I was trying to use public DNS server at the test PCs and routers and all the Internet traffic including DNS only pass through ASA.

I have used nslookup and browse the URL on the PCs.

Also I have used internal routers to test.clear host * and ping domain. It still resolves to public IP address.

I tried to use IOS 8.0 before and there was no issue with this feature. After I upgraded IOS to 8.4(3), this feature did not work and DNS inspection also did not work.

ASA DNS Modification is not working on 8.4(3)

Jennifer Halim — Tue, 24 Jul 2012 10:21:19 GMT

Can you please share your whole configuration.

ASA DNS Modification is not working on 8.4(3)

rd9978 — Fri, 27 Jul 2012 13:43:12 GMT

I have upgraded ASA platform and use IOS 8.4(4)1. There is no problem now.

Thanks.

ASA DNS Modification is not working on 8.4(3)

Jennifer Halim — Fri, 03 Aug 2012 08:04:05 GMT

Thanks for the update. It might be a bug with the previous version that you run.