I see the DNS doctoring technique, but how does that manage to translate ANY mycompany.com destination requests from inside to translate to a corresponding server inside? Does thes always have to be a one-on-one NAT, for a specific inside server? We have numerous servers inside that have DNS listing. What are the security risks of DNS doctoring? Thanx!

I'm not sure if you can do something like:

static (in,out) 2.2.2.0 1.1.1.0 netmask 255.255.255.0 dns

To do DNS rewrite to the entire subnet, otherwise is for every server specifically.

Security risks?

I don't think so, the ASA is just translating the DNS response to the real IP when sending the DNS packet to the inside host.

Federico.

So, what I'm hearing you say is that this static "(in,out) 2.2.2.2 1.1.1.1 dns" NAT will ONLY be used if the public DNS server translates the the request to server1.mycompany.com from the inside network and sends it to the specific IP on the inside.

In this ASA, 2.2.2.2 has the global pool for the interface. Other access on this outside address is controlled by port translation. I just don't want to risk screwing up any of the normal permissions. You'll have to pardon me as I'm just beginning to use these systems.

What this command does:

static (in,out) 2.2.2.2 1.1.1.1 dns

1. Inside host sends a DNS packet asking how to get to yourcompany.com

2. The inside host is configured to ask an external DNS server (outside the ASA).

3. The DNS request goes through the ASA and reaches the external DNS server

4. The DNS replies (as is configured) with the public IP of yourcompany.com (let's say 2.2.2.2)

5. The DNS packet (containing the mapping 2.2.2.2 to yourcompany.com) arrives at the outside interface of the ASA

6. The ASA will normally just forward this packet to the inside host that send the request, but since the static NAT has the ''dns'' keyword it will translate that DNS response from 2.2.2.2 to 1.1.1.1

7. The inside host then knows that it can reach yourcompany.com by sending the packets to 1.1.1.1

If you remove the ''dns'' keyword what happens is that the inside host will attempt to reach yourcompany.com using IP 2.2.2.2 (because that's what it received on the unmodified DNS response.

Hope it's more clear.

Federico.

One last question, I think: can the static NAT be set up asymmetrically, i.e., can I do something like static (in,out) 2.2.2.2 1.1.1.0? we have several servers inside that we'd like that have DNS entries that point them to the single outside address, but use PAT.

Wolf

Thank you for your assistance and your patience!

Wolf

Wolf,

Just wanted to point out a few things:

1. Asymmetric static nat is not possible since both ip addresses share the same netmask

2. For dns doctoring to work you need to enable "inspect dns" in the policy map.

3. An alternative to DNS doctoring is to use hairpinning of traffic on the inside interface.

Configuration:

same-security-traffic permit intra-interface

static (inside,inside)

nat (inside) x 0 0 (should be present already in your config)

global (inside) x interface

So now traffic destined to the public ip is unnated to its private ip, and sent out the inside interface to the webserver on its private ip.

global (inside) is required to prevent asymmetric routing.

Comparitively, I think both DNS doctoring and Hairpinning would require the same number of static nats configured, and i think DNS doctoring would be less CPU intensive to the ASA. But I just thought I would mention hairpinning, as your initial question seemed to be something along the lines of how it works.

OK, I suppose that will have to do. Can I enter several public/private pairs

(static (inside,inside) ) in the configuration,

each with different outside and inside IP addresses?

hi wolf,

Yes you can have multiple static nats with the "dns" keyword at the end.

Make sure inspect dns is enabled for dns doctoring to work.

-Shrikant