topic Re: Accessing Inside Resources From Inside Using Outside DNS IP in Network Security

Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Mon, 11 Mar 2019 20:10:11 GMT

Users and systems on the 10.10.30.0/24 network cannot get directly to ourcompany.com using the dns lookup of IP because that IP is on the outside interface of the ASA and everything on 10.10.30.0/24 has to go through the ASA to get back in, but it does not appear that the ASA supports such a configuration.

1. How do I configure the ASA to allow traffic to return inbound when originating from an inside source IP?

2. How do I allow server1.ourcompany.com, which is inside the network, to translate to the inside IP, rather than the public IP of the egress interface?

3. Is there another solution?

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Federico Coto Fajardo — Mon, 21 Mar 2011 19:27:08 GMT

Hi,

I think that you're looking for DNS Doctoring or DNS rewrite.

The ASA allows translation for DNS responses so that you can access the device from the inside.

For example if you have:

static (in,out) 2.2.2.2 1.1.1.1 dns

The above static allows from outside to access 2.2.2.2 (ASA redirects to 1.1.1.1 on the inside).

But it also allows a DNS translation so that when the outside DNS replies with IP 2.2.2.2 (outside IP), the ASA translates the DNS response to 1.1.1.1 (so the inside host knows that it can reach the server with its real IP 1.1.1.1).

Hope it helps.

Federico.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Mon, 21 Mar 2011 19:47:31 GMT

I see the DNS doctoring technique, but how does that manage to translate ANY mycompany.com destination requests from inside to translate to a corresponding server inside? Does thes always have to be a one-on-one NAT, for a specific inside server? We have numerous servers inside that have DNS listing. What are the security risks of DNS doctoring? Thanx!

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Federico Coto Fajardo — Mon, 21 Mar 2011 19:50:52 GMT

I'm not sure if you can do something like:

static (in,out) 2.2.2.0 1.1.1.0 netmask 255.255.255.0 dns

To do DNS rewrite to the entire subnet, otherwise is for every server specifically.

Security risks?

I don't think so, the ASA is just translating the DNS response to the real IP when sending the DNS packet to the inside host.

Federico.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Mon, 21 Mar 2011 20:13:10 GMT

So, what I'm hearing you say is that this static "(in,out) 2.2.2.2 1.1.1.1 dns" NAT will ONLY be used if the public DNS server translates the the request to server1.mycompany.com from the inside network and sends it to the specific IP on the inside.

In this ASA, 2.2.2.2 has the global pool for the interface. Other access on this outside address is controlled by port translation. I just don't want to risk screwing up any of the normal permissions. You'll have to pardon me as I'm just beginning to use these systems.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Federico Coto Fajardo — Mon, 21 Mar 2011 20:19:19 GMT

What this command does:

static (in,out) 2.2.2.2 1.1.1.1 dns

1. Inside host sends a DNS packet asking how to get to yourcompany.com

2. The inside host is configured to ask an external DNS server (outside the ASA).

3. The DNS request goes through the ASA and reaches the external DNS server

4. The DNS replies (as is configured) with the public IP of yourcompany.com (let's say 2.2.2.2)

5. The DNS packet (containing the mapping 2.2.2.2 to yourcompany.com) arrives at the outside interface of the ASA

6. The ASA will normally just forward this packet to the inside host that send the request, but since the static NAT has the ''dns'' keyword it will translate that DNS response from 2.2.2.2 to 1.1.1.1

7. The inside host then knows that it can reach yourcompany.com by sending the packets to 1.1.1.1

If you remove the ''dns'' keyword what happens is that the inside host will attempt to reach yourcompany.com using IP 2.2.2.2 (because that's what it received on the unmodified DNS response.

Hope it's more clear.

Federico.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Mon, 21 Mar 2011 20:36:01 GMT

One last question, I think: can the static NAT be set up asymmetrically, i.e., can I do something like static (in,out) 2.2.2.2 1.1.1.0? we have several servers inside that we'd like that have DNS entries that point them to the single outside address, but use PAT.

Wolf

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Federico Coto Fajardo — Mon, 21 Mar 2011 20:39:20 GMT

You cannot statically NAT a subnet to a single IP address.

Unless you have one-to-one static NAT, you cannot access the servers from the outside anyway.

Another alternative is to have an ''inside'' DNS server that serves the DNS queries from the inside network.

Federico.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Mon, 21 Mar 2011 20:45:26 GMT

Thank you for your assistance and your patience!

Wolf

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Shrikant Sundaresh — Mon, 21 Mar 2011 20:52:45 GMT

Wolf,

Just wanted to point out a few things:

1. Asymmetric static nat is not possible since both ip addresses share the same netmask

2. For dns doctoring to work you need to enable "inspect dns" in the policy map.

3. An alternative to DNS doctoring is to use hairpinning of traffic on the inside interface.

Configuration:

same-security-traffic permit intra-interface

static (inside,inside)

nat (inside) x 0 0 (should be present already in your config)

global (inside) x interface

So now traffic destined to the public ip is unnated to its private ip, and sent out the inside interface to the webserver on its private ip.

global (inside) is required to prevent asymmetric routing.

Comparitively, I think both DNS doctoring and Hairpinning would require the same number of static nats configured, and i think DNS doctoring would be less CPU intensive to the ASA. But I just thought I would mention hairpinning, as your initial question seemed to be something along the lines of how it works.

Re: Accessing Inside Resources From Inside Using Outside DNS IP

pootboy69 — Tue, 22 Mar 2011 18:47:29 GMT

OK, I suppose that will have to do. Can I enter several public/private pairs

(static (inside,inside) ) in the configuration,

each with different outside and inside IP addresses?

Re: Accessing Inside Resources From Inside Using Outside DNS IP

Shrikant Sundaresh — Tue, 22 Mar 2011 18:53:50 GMT

hi wolf,

Yes you can have multiple static nats with the "dns" keyword at the end.

Make sure inspect dns is enabled for dns doctoring to work.

-Shrikant