topic Re: ASA and DNS modifying in Network Security

ASA and DNS modifying

bob.bartlett — Fri, 21 Feb 2020 09:16:46 GMT

I have an ASA5510 and have it configured with the STATIC NAT entries for Web servers in MY DMZ but when I add the DNS to the end of the STATIC rule it does not modify the DNS reply so that the nat'd address is sent to an outside client. I have done this successfully with a PIX firewall running the same IOS.

Re: ASA and DNS modifying

m-haddad — Tue, 31 Oct 2006 16:29:53 GMT

Can you paste the config?

Regards,

Re: ASA and DNS modifying

bob.bartlett — Tue, 31 Oct 2006 18:23:43 GMT

Here you go:

ASA Version 7.1(2)

interface Ethernet0/0

nameif outside

security-level 0

ip address 55.23.239.130 255.255.255.128

interface Ethernet0/1

nameif DMZ

security-level 30

ip address 10.10.30.1 255.255.255.0

interface Management0/0

nameif inside

security-level 100

ip address 10.10.20.129 255.255.255.128

dns domain-lookup inside

dns server-group DefaultDNS

name-server colonel

name-server judge

domain-name ISPRO.COM

access-list ASAOutside remark DNS access to outside DNS Servers

access-list ASAOutside extended permit udp any object-group Outside_DNS object-group DNS

access-list ASAOutside remark HTTP WEB ACCESS

access-list ASAOutside extended permit tcp any object-group WebSites object-group HTTP

access-list ASAOutside remark HTTPS WEB ACCESS

access-list ASAOutside extended permit tcp any object-group WebSites_SSL object-group HTTPS

static (DMZ,outside) 55.23.239.26 10.10.30.26 netmask 255.255.255.255 dns

access-group ASAOutside in interface outside

access-group ASADMZ in interface DMZ

access-group ASAInside in interface inside

Re: ASA and DNS modifying

jgervia_2 — Tue, 31 Oct 2006 20:36:23 GMT

Hello,

The dns option on your static will only work if 'inspect dns' is on - I don't see your global service policy (or interface, for that matter) in the configuration to tell if it is on or not.

--Jason

Please rate this message if helped resolve some or all of your issue!

Re: ASA and DNS modifying

bob.bartlett — Tue, 31 Oct 2006 20:49:31 GMT

Here is the inspect policy the interfaces are on the previous printout

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

inspect h323 ras

inspect h323 h225

inspect tftp

inspect sqlnet

inspect mgcp

inspect netbios

inspect skinny

inspect ils

inspect icmp

inspect sip

inspect xdmcp

inspect ctiqbe

inspect dns maximum-length 1024

Re: ASA and DNS modifying

m-haddad — Tue, 31 Oct 2006 21:44:30 GMT

You static should look like that:

static (DMZ,outside) udp 55.23.239.26 dns 10.10.30.26 dns netmask 255.255.255.255

Please let me know if it solves your problem,

Regards,

Re: ASA and DNS modifying

bob.bartlett — Tue, 31 Oct 2006 23:16:33 GMT

didn't help....

Re: ASA and DNS modifying

jgervia_2 — Wed, 01 Nov 2006 00:42:47 GMT

Can we get the complete config? We're not getting the complete picture here. Feel free to take out SNMP and change IP addresses to protect the innocent.

Re: ASA and DNS modifying

Fernando_Meza — Wed, 01 Nov 2006 03:08:56 GMT

Hi ... I believe you are a bit confused as to the way the dns option works when used on a static sentence. The dns option will allow an INSIDE host to received a DNS reply with the local IP address used on the translation .ie the real IP of your Web server. In that way your INSIDE host will comunicate direclty with the Web Server instead of trying to connect by using its Public Ip address.

I hope this helps ... please rate it if it does !!!

Re: ASA and DNS modifying

m-haddad — Wed, 01 Nov 2006 16:59:31 GMT

Hi bob,

Do you mean DNS aliasing. For example,

alias (DMZ) Global_ip DMZ_IP

Let me know your feedback coz it seems I did misunderstood your request,

Regards,

Re: ASA and DNS modifying

sebastan_bach — Wed, 01 Nov 2006 17:04:42 GMT

hi all i have a similar situation. i have a webserver in my inside network and there is no local dns server in our network.people in the inside network query the internet dns server for the resolution of the web server in the inside of the pix. say the public ip is 1.1.1.1 and the private ip of the server is 10.1.1.1/24.

in my static nat i have configured

static (inside,outside) 1.1.1.1 10.1.1.1 dns netmask 255.255.255.255.

will the dns doctoring work here. can someone pls help.

regards

sebastan

Re: ASA and DNS modifying

m-haddad — Wed, 01 Nov 2006 20:19:14 GMT

Yes the DNS doctoring/Aliasing would work for you. Any request sent to the public address will be redirected to the internal DNS address.

Your alias command should look like that

Alias (Inside) 1.1.1.1 10.1.1.1 255.255.255.255

Hope this helps,

Regards,

Re: ASA and DNS modifying

Fernando_Meza — Wed, 01 Nov 2006 23:22:06 GMT

HI I believe .. what you need is

static (inside,outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255 dns

DNS reply from teh External Web server will be rewriten and you internal host will connect directly to the internal IP of your Web server assuming you have allowed access from Inside hosts to it.

I hope it helps .. please rate it if it does !!!

Re: ASA and DNS modifying

Anthony Holloway — Tue, 28 Nov 2006 20:36:20 GMT

Everyone has missed the crucial element of this person's post.

This person doesn't need to know how to get the DNS portion working... they clearly have it correct according to the documentation.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008054c4ea.html#wp1042753

The problem here, which is a problem I have just run into, is that it's not working 100%.

With this command:

static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255

dns

I can do an nslookup of mydomain.com and it will resolve to 10.1.3.14, which is the desired effect. But a ping will resolve to mydomain.com will resolve to 209.165.201.10, and loading mydomain.com into a web browser will not resolve to the correct 10.x address. However, if I load the 10.x address into the browser manually, it works fine.

So the DNS keyword on the static command is the correct solution according to the docs, however it does not function as it should.

One thing to note is that the docs state that either the client or the DNS server must be on the same interface as the web server. So a client on "inside", a web server on "DMZ", and a DNS on "outside" will not work. Which is how it should work. That would be the desired effect for anyone who doesn't run their own DNS servers.

So for the above example, with three host in three separate networks, the alias command did solve the problem, however it breaks the ASDM. While I'm not a fan of the ASDM, our customers are, and it's a feature they've paid to have, they should have the ability to use it.

Re: ASA and DNS modifying

fzamora — Wed, 29 Nov 2006 05:21:25 GMT

Hi Bob,

Let me ask you a few questions:

- where are your DNS servers?

-who is trying to access the webservers? Hosts from the inside or from the same interface (DMZ)?

For DNS doctoring to work, the request/reply must traverse the firewall, otherwise the packet won't get fixed

So for example if the hosts are located in the DMZ you must have your static configured with the DNS keyword. The when a client makes a request to go to mysite.com, the request will go out to the external DNS servers and will come back with the public address configure on the static, at that moment, the firewall will "open" the packet and replace that information with the private IP address of the server.

If the clients are located on the Inside interface you will need to configure Destination NAT.

static (dmz,outside) x y

static (dmz, inside) x y

Hope it helps

Franco Zamora