cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

857
Views
10
Helpful
11
Replies
Highlighted
Beginner

Accessing Inside Resources From Inside Using Outside DNS IP

Users and systems on the 10.10.30.0/24 network cannot get directly to ourcompany.com using the dns lookup of IP because that IP is on the outside interface of the ASA and everything on 10.10.30.0/24 has to go through the ASA to get back in, but it does not appear that the ASA supports such a configuration.

1. How do I configure the ASA to allow traffic to return inbound when originating from an inside source IP?

2. How do I allow server1.ourcompany.com, which is inside the network, to translate to the inside IP, rather than the public IP of the egress interface?

3. Is there another solution?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You cannot statically NAT a subnet to a single IP address.

Unless you have one-to-one static NAT, you cannot access the servers from the outside anyway.

Another alternative is to have an ''inside'' DNS server that serves the DNS queries from the inside network.

Federico.

View solution in original post

11 REPLIES 11
Highlighted

Hi,

I think that you're looking for DNS Doctoring or DNS rewrite.

The ASA allows translation for DNS responses so that you can access the device from the inside.

For example if you have:

static (in,out) 2.2.2.2 1.1.1.1 dns

The above static allows from outside to access 2.2.2.2 (ASA redirects to 1.1.1.1 on the inside).

But it also allows a DNS translation so that when the outside DNS replies with IP 2.2.2.2 (outside IP), the ASA translates the DNS response to 1.1.1.1 (so the inside host knows that it can reach the server with its real IP 1.1.1.1).

Hope it helps.


Federico.

Highlighted

I see the DNS doctoring technique, but how does that manage to translate ANY mycompany.com destination requests from inside to translate to a corresponding server inside? Does thes always have to be a one-on-one NAT, for a specific inside server? We have numerous servers inside that have DNS listing. What are the security risks of DNS doctoring? Thanx!

Highlighted

I'm not sure if you can do something like:

static (in,out) 2.2.2.0 1.1.1.0 netmask 255.255.255.0 dns

To do DNS rewrite to the entire subnet, otherwise is for every server specifically.

Security risks?

I don't think so, the ASA is just translating the DNS response to the real IP when sending the DNS packet to the inside host.

Federico.

Highlighted

So, what I'm hearing you say is that this static "(in,out) 2.2.2.2 1.1.1.1 dns" NAT will ONLY be used if the public DNS server translates the the request to server1.mycompany.com from the inside network and sends it to the specific IP on the inside.

In this ASA, 2.2.2.2 has the global pool for the interface. Other access on this outside address is controlled by port translation. I just don't want to risk screwing up any of the normal permissions. You'll have to pardon me as I'm just beginning to use these systems.

Highlighted

What this command does:

static (in,out) 2.2.2.2 1.1.1.1 dns

1. Inside host sends a DNS packet asking how to get to yourcompany.com

2. The inside host is configured to ask an external DNS server (outside the ASA).

3. The DNS request goes through the ASA and reaches the external DNS server

4. The DNS replies (as is configured) with the public IP of yourcompany.com (let's say 2.2.2.2)

5. The DNS packet (containing the mapping 2.2.2.2 to yourcompany.com) arrives at the outside interface of the ASA

6. The ASA will normally just forward this packet to the inside host that send the request, but since the static NAT has the ''dns'' keyword it will translate that DNS response from 2.2.2.2 to 1.1.1.1

7. The inside host then knows that it can reach yourcompany.com by sending the packets to 1.1.1.1

If you remove the ''dns'' keyword what happens is that the inside host will attempt to reach yourcompany.com using IP 2.2.2.2 (because that's what it received on the unmodified DNS response.

Hope it's more clear.


Federico.

Highlighted

One last question, I think: can the static NAT be set up asymmetrically, i.e., can I do something like static (in,out) 2.2.2.2 1.1.1.0? we have several servers inside that we'd like that have DNS entries that point them to the single outside address, but use PAT.

Wolf

Highlighted

You cannot statically NAT a subnet to a single IP address.

Unless you have one-to-one static NAT, you cannot access the servers from the outside anyway.

Another alternative is to have an ''inside'' DNS server that serves the DNS queries from the inside network.

Federico.

View solution in original post

Highlighted

Thank you for your assistance and your patience!

Wolf

Highlighted

Wolf,

Just wanted to point out a few things:

1. Asymmetric static nat is not possible since both ip addresses share the same netmask

2. For dns doctoring to work you need to enable "inspect dns" in the policy map.

3. An alternative to DNS doctoring is to use hairpinning of traffic on the inside interface.

Configuration:

same-security-traffic permit intra-interface

static (inside,inside)

nat (inside) x 0 0 (should be present already in your config)

global (inside) x interface

So now traffic destined to the public ip is unnated to its private ip, and sent out the inside interface to the webserver on its private ip.

global (inside) is required to prevent asymmetric routing.

Comparitively, I think both DNS doctoring and Hairpinning would require the same number of static nats configured, and i think DNS doctoring would be less CPU intensive to the ASA. But I just thought I would mention hairpinning, as your initial question seemed to be something along the lines of how it works.

Highlighted

OK, I suppose that will have to do. Can I enter several public/private pairs

(static (inside,inside) ) in the configuration,

each with different outside and inside IP addresses?

Highlighted

hi wolf,

Yes you can have multiple static nats with the "dns" keyword at the end.

Make sure inspect dns is enabled for dns doctoring to work.

-Shrikant

Content for Community-Ad