topic DNS Doctoring (Re-write) with PAT on 8.4 in Network Security

DNS Doctoring (Re-write) with PAT on 8.4

Logan Kampsnider — Mon, 11 Mar 2019 21:11:16 GMT

I have a client that has a Cisco ASA 5505 on 8.4 and needs to do DNS Doctoring. They have a /30 public IP range, so they only have one IP on their outside interface that we PAT to any inside services, such as an e-mail server or RDP access.

DNS Re-write was extremely easy to configure via 8.2 and below with a configuration such as:

"static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns"

8.4 seems more complicated. I've found a TON of examples on how to do DNS Re-write on 8.4, but they all seem to be for NAT examples. Here is basically an example of how the above config is supposed to translate to in 8.4 according to the examples I found:

"object network obj-192.168.100.10

host 192.168.100.1

nat (inside,outside) static 172.20.1.10 dns"

The above config appears to be for a NAT situation in which all traffic for 172.20.1.10 is directed at the inside host of 192.168.100.10. Even with this appearance, I attempted the command anyways on my client's ASA only to be greeted with a warning that says "all traffic on the specified outside interface will now be directed towards the specified host." Regardless of this message, I was still able to access the network and I tried to ping from an internal host to the external URL that was supposed to re-write to the inside host and thus the ping would resolve to 192.168.100.10. It did not work, but because of the error message I received after typing in the re-write command I undid the change after about 30 seconds. Perhaps I didn't wait long enough?

Basically my question is how do I do DNS re-write for a public IP that is PAT'd to multiple inside hosts? Thanks!!!

DNS Doctoring (Re-write) with PAT on 8.4

mirober2 — Sat, 20 Aug 2011 16:56:09 GMT

Hi Logan,

The ASA doesn't support DNS re-write for PAT rules. The reason is that since DNS replies (what the ASA looks for to do the re-write) don't contain any reference to a port (only a hostname and IP address), the ASA has no way of knowing which PAT rule to use for the rewrite. Imagine if the DNS reply came back with the PAT address. How would the ASA know which internal host it was referring to? This is described further in the configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_basic.html#wp1543568

DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record and the PAT rule to use is ambiguous.

Hope that helps.

-Mike

DNS Doctoring (Re-write) with PAT on 8.4

Logan Kampsnider — Tue, 23 Aug 2011 23:54:33 GMT

Thank you for the reply, this makes sense!

DNS Doctoring (Re-write) with PAT on 8.4

ssengotaiyan — Mon, 26 Nov 2012 03:12:24 GMT

Hi Guys

Can you please help me on this?

The below confirm works from externally, we the user try to access the webmail from internal network using 126.66.18.29 dns re rewrite not working.

object network 192.168.100.28-3389

host 192.168.100.28

nat (inside,outside) static 126.66.18.29 service tcp 3389 3382

object network 192.168.100.30-3389

host 192.168.100.28

nat (inside,outside) static 126.66.18.29 service tcp 3389 3381

object network 192.168.100.10-25

host 192.168.100.28

nat (inside,outside) static 126.66.18.29 service tcp smtp smtp

object network 192.168.100.10-443

host 192.168.100.28

nat (inside,outside) static 126.66.18.29 service tcp https https

Tried to apply the below to enabled DNS doctoring but all other portforwarding is stop working.

object network 192.168.100.10-443-DNS

host 192.168.100.28

nat (inside,outside) static 126.66.18.29 dns

i have removed the dns rerewrite to bring the service up for all other port forwarding.

I want to know how to fix this.,

Regards
SS

Re: DNS Doctoring (Re-write) with PAT on 8.4

Jouni Forss — Mon, 26 Nov 2012 08:18:31 GMT

Hi SS,

Would be best if you could post a new topic for a new question.

But as the question is already asked no need to i guess.

From the looks of your configurations all the Port Forward configurations point to the same internal host?

Is the IP 126.66.18.29 dedicated to be used only with 192.168.100.28 or is it some shared IP address that is already used in some other configurations too that you might have not posted?

If the IP 126.66.18.29 is only used for internal host 192.168.100.28 you DONT NEED Port Forward configurations for each service.

The thing you tried last should have been enough without the Port Forward configurations. Then again your object names almost seem like you meant to configure some other IP address under the object as the names include things like "192.168.100.30", "192.168.100.10"

I can't say for sure what would be needed to be done as I'm not 100% sure about your NAT setup and available public IP addresses.

EDIT:

Your configurations seems to reflect that you would have done 2 remote desktop Port Forwards for two hosts, yet your configuration in the post says the host for both Port Forward configuration is the same?

- Jouni