Solved: Hi Bilal,Please use the link

Bilal Nawaz · ‎10-13-2015

Hi Team,

I have 3 interfaces on ASA, guest, outside and DMZ.

The guest is trying to browse to xyz.com, which resolves to a proxy arp address on the outside interface. There is a static NAT for this address to a host in the DMZ.

I want to translate the destination address - from the guest network, to this host in the DMZ, going to the outside public IP, translate the destination to the DMZ address.

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Akshay Rastogi · ‎10-13-2015

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

Regards,

Akshay Rastogi

View solution in original post

Jon Marshall · ‎10-14-2015

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

View solution in original post

Akshay Rastogi · ‎10-13-2015

Hi Bilal,

Please use the link below. this is a DNS doctoring scenario. :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc11

Regards,

Akshay Rastogi

Bilal Nawaz · ‎10-14-2015

Hi Akshay, I can see my client is now trying to get to the real ip address of the server. But i'm is still not able to http to it.

I have created an ACL allowing this traffic to the real ip address of the server from the DMZ and not seeing any hits.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Jon Marshall · ‎10-14-2015

Bilal

What firewall model ?

What security levels on the interfaces ?

Jon

Bilal Nawaz · ‎10-14-2015

Hi Jon,

It's a 5585X on version 8.2(5)57.

Guest and DMZ security level is 50. Outside is 0, inside is 100.

ASA interfaces

Guest (DMZ-6) - 10.211.252.121/29

DMZ (DMZ-2) - 10.211.244.113/28

Outside - XXX.XXX.XXX.XXX

Client is 10.211.252.123

DMZ server IP is 10.211.244.120 -> X.X.X.X Static NAT to address on outside subnet

Client resolves xyz.com ASA intercepts and returns back 10.211.244.120. I see SYN from my client to this address when i try to browse and then retransmits follow.

On the DMZ interface I have applied this:

access-list DMZ-6 line 2 extended permit tcp any host 10.211.244.120 eq www (hitcnt=0) 0x2f60303a

and for NAT i have applied this

static (DMZ-2,outside) xxx.xxx.xxx.xxx 10.211.244.120 netmask 255.255.255.255 dns

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Jon Marshall · ‎10-14-2015

So you need -

1) to have "same-security-traffic permit inter-interface" in your configuration

2) you may well need these NAT statements -

nat (guest,DMZ-2) 10.211.252.123 10.211.252.253 netmask 255.255.255.255
nat (DMZ-2,guest) 10.211.244.120 10.211.244.120 netmask 255.255.255.255

then as long as you are allowing traffic from guest to DMZ-2 the acl applied on the DMZ-2 interface should not come into it.

Jon

Bilal Nawaz · ‎10-14-2015

Thanks to you both!

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Jon Marshall · ‎10-14-2015

Bilal

Just to clarify, with that configuration traffic can be initiated from either the guest vlan or the DMZ vlan which may or may not be what you want.

But that is because you have the same security levels on both interfaces.

Jon

ASA pre 8.3 NAT