Solved: dmz dns query on asa 5540

samirshaikh52 · ‎05-03-2012

Hi Expert.

How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?

What is the configuration required on ASA 5540 ?

Thanks

Maykol Rojas · ‎05-03-2012

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

View solution in original post

Maykol Rojas · ‎05-03-2012

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

samirshaikh52 · ‎05-03-2012

Mike,

Thanks for your reply.

"You only want the ASA to permit the DNS query if it is beng executed through nslookup?" YES EXACTLY

samirshaikh52 · ‎05-03-2012

This question is not answered. By mistak I click on Correct Answer

Maykol Rojas · ‎05-03-2012

Samir,

I just did a quick packet capture to see if there was any remarcable difference between the query done autmatically by the computer or the one executed via nslookup and they are the same. Nothing changes. Since there is no verifiable way to differentiate one another, you may need to find a solution that can be implemented on the host itself.

Mike

samirshaikh52 · ‎05-03-2012

Mike,

I want to know.

How I can allow http request from dmz zone server to specifie outside webserver ( for eg 1.1.1.1)

Can you advice.

ROBERTO TACCON · ‎05-03-2012

Have you check the following doc:

https://supportforums.cisco.com/docs/DOC-17014

HTH

samirshaikh52 · ‎05-03-2012

Unfortunetly, this is not the thing I'm looking for.

Maykol Rojas · ‎05-03-2012

Hi Samir,

By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.

If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.

Access-list DMZ permit tcp host host eq 80

Access-list DMZ deny ip any any

access-group DMZ in interface DMZ

Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)

WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.

Mike

samirshaikh52 · ‎05-03-2012

Do you I NAT ?

Maykol Rojas · ‎05-03-2012

Didnt quite get the last message, can you explain please?

Mike

samirshaikh52 · ‎05-03-2012

Ok the last thing I want to ask

I have confgiured the public dns ip on my server interface ( eg 2.2.2.2) I want to make nslookup to google.com but ti gives me error request time-out but I create this rule on ASA for eg:

nat (DMZ-1) 10 172.16.1.202 255.255.255.255 tcp 0 0 udp 0

it works fine. I know this not secure to allow everything How can i successfully perform nslookup withou giving all access

I hope it's clear.

Thanks

Samir

Maykol Rojas · ‎05-03-2012

Just permit udp 53 for that host to go out on your ACL while denying the rest of the traffic.

Mike

samirshaikh52 · ‎05-03-2012

please can you provide me the command line..