topic Re: DNS Doctoring in Network Security

DNS Doctoring

adamgibs7 — Mon, 11 Mar 2019 19:59:10 GMT

Hello Friends,

I have a Web Server in DMZ on my ASA,Internal users were not able to access the web server by hostname so i went through the link below to configure DNS Doctoring.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

When i configured DNS keyword in Static Nat statement for Web Server it was not working BUT

When i configured Destination NAT as per the alternate solution given in the link it worked fine for me.

Now the issue is i m not able to do the remote desktop to my web server from inside, in the logs it show me

"portmap translation creation failed for tcp src inside:10.10.3.12/58945 dst DMZ:10.10.1.10/80

The Internal users who wants to access the DMZ,, for them i have configured the below static statement.

static (inside,DMZ) 10.10.35.0 10.10.35.0 netmask 255.255.255.192.

Still in the logs i m getting the above error.

Please suggest where i m going wrong.

Thanks

Re: DNS Doctoring

Yudong Wu — Tue, 01 Mar 2011 17:32:50 GMT

can you post all nat configuration here?

The following error tells that ASA could not create NAT for inside IP 10.10.3.12 to DMZ 10.10.1.10,

portmap translation creation failed for tcp src inside:10.10.3.12/58945 dst DMZ:10.10.1.10/80

Do you have related NAT config to translate source IP 10.10.3.12 when it access DMZ network?

"static (inside,DMZ) 10.10.35.0 10.10.35.0 netmask 255.255.255.192" is translating source net 10.10.35.0 to itself but it won't do anything for 10.10.3.12.

Re: DNS Doctoring

adamgibs7 — Tue, 01 Mar 2011 19:00:45 GMT

Hello,

I did a mistake in writing it is static (inside,DMZ) 10.10.3.0 10.10.3.0 netmask 255.255.255.192.

static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns <------------- It did'nt worked by this statement

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 <------------- It worked by this statement

Now the issue is users from this subnet 10.10.3.0 try to access DMZ Web server through remote desktop they are not able to access they get portmap translation creation failed for tcp src inside:10.10.3.12/58945 dst DMZ:10.10.1.10/80 though i have a static statement,

One very interesting when i remove the destination NAT command static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 ,users are able to access remote desktop to Web server.

Thanks

Re: DNS Doctoring

Yudong Wu — Tue, 01 Mar 2011 19:33:16 GMT

Here is my thought. Since I don't have your full NAT configuration here, it might not be accurate.

1. regarding "static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns" not working

- did you try "clear xlate" after you made the above change?

- If you could post your full NAT configuration, I would like to see if there is any NAT configuration that can bypass the this static NAT rule.

2. static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 works but break remote desktop access.

- Do your remote desktop session use 82.178.25.133 to access webserver? if not, can you try that?

- You might add the following nat bypass to see if it works.

access-list nonat-to-dmz permit ip 10.10.3.0 255.255.255.192 host 10.10.1.10

nat (inside) 0 access-list nonat-to-dmz

Re: DNS Doctoring

adamgibs7 — Tue, 01 Mar 2011 19:54:32 GMT

Hello Yudong,

There is no BIg static list for Nat statements only these 3 of them,

. regarding "static (DMZ,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255 dns" not working

- did you try "clear xlate" after you made the above change?

YES I DID

- If you could post your full NAT configuration, I would like to see if there is any NAT configuration that can bypass the this static NAT rule.

HOW ???? pls suggest

- Do your remote desktop session use 82.178.25.133 to access webserver? if not, can you try that?

I did'nt tried,I will let u know tomorrow.

- You might add the following nat bypass to see if it works.

access-list nonat-to-dmz permit ip 10.10.3.0 255.255.255.192 host 10.10.1.10

nat (inside) 0 access-list nonat-to-dmz

I thought about this but i want it make it work without nat0.

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

Can u explain me this static natting statement,????

Re: DNS Doctoring

Yudong Wu — Tue, 01 Mar 2011 20:28:17 GMT

- If you could post your full NAT configuration, I would like to see if there is any NAT configuration that can bypass the this static NAT rule.

HOW ???? pls suggest

>>> I just wonder if you have any policy static NAT or nat 0 configuration which might bypass this dns static nat entry. I am just curious about why it won't work.

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

Can u explain me this static natting statement,????

>>> the above nat will tranlsate the destination IP from 82.178.25.133 to 10.10.1.10 when user in inside network try to reach 82.178.25.133. In the direction from DMZ to inside, it will NAT source IP 10.10.1.10 to 82.178.25.133 as well.

Re: DNS Doctoring

adamgibs7 — Tue, 01 Mar 2011 21:10:06 GMT

hello,

I just wonder if you have any policy static NAT or nat 0 configuration which might bypass this dns static nat entry. I am just curious about why it won't work.

Believe me there is no such policy statement only just simple statement going from inside to dmz i.e identity NAT 10.10.3.0 10.10.3.0 netmask 255.255.255.255

and DMZ to outside static statement for Web server.

static (Inside,outside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

The above statement translates the host from inside 10.10.1.10 to 82.178.25.133 when it goes to internet when the whole world knows.

And the same when any request comes to 82.178.25.133 from internet it will hit firewall and firewall will translate to this private 10.10.1.10 IP.which firewall knows according to route specified in the route table.

But in the below secnario

static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255

when the host 10.10.1.10 want to go on inside it will translates to 82.178.25.133 and it will route according to the destination in the routing table, But this IP (82.178.25.133) is not know by the inside host so when the inside host replies back it will reply according to its default gateway that must be firewall if it is a different deafult gateway than communication will not be established.

And In the same way when the users come from inside with IP 10.10.3.12 to reach 10.10.1.10, firewall will translates to 82.178.25.133 and it will send to DMZ interface.

Correct me if i m wrong ???

Re: DNS Doctoring

Yudong Wu — Tue, 01 Mar 2011 21:35:03 GMT

<<< this is correct. Inside host must send the reply to 82.178.25.133 to the inside interface of this ASA.

And In the same way when the users come from inside with IP 10.10.3.12 to reach 10.10.1.10, firewall will translates to 82.178.25.133 and it will send to DMZ interface.

<<<< No, if the inside host use 10.10.1.10 as destination IP, it won't be translated by "static (DMZ,Inside) 82.178.25.133 10.10.1.10 netmask 255.255.255.255", that's why I asked what destination IP you were using and you could try to use 82.178.25.133 if not using it.

If the inside host use 82.178.25.133 as the destination, it will be translated to 10.10.1.10 and sent to DMZ.