cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1362
Views
0
Helpful
8
Replies

DNS NAT

dhinesh_83
Level 1
Level 1

Hi Team,

 

          I would like to know the procedure or any documents how to create a nat rule for DNS.And also explain me what is DNS nat and which sceanrio we need to implement the DNS nat.

Please confirm the DNS nat and DNS ALG are same?

 

 

8 Replies 8

This is probably what you are looking for if you are interested in the ASA:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

DNS NAT is a function that could be implemented on a DNS ALG, but they are not automatically the same.

Thank you very much for the update.

 

Do you have any procedure/Document how to implement the DNS NAT in cisco router.

Hi Karsten,

 

      Please share me any sample configuration for DNS NAT in Cisco.

A config sample is in the above link.

Thanks for the update.Can you please help me the configuration for the below setup

Please find the attached setup for your reference.

When user in  A network tries to access one of the server(abc.com) in B network via hostname.The packet first hit the A N/W DNS for requsting the abc.com ip address.Again they will forward the requset to B N/W DNS for the ip address.They retrun back the ip address say example(10.1.1.5) for respective hostname.But we have the 10.1.1.0/24 already using in A N/W.In that case we need to do the nat in the firewall. How we implement the DNS NAT in the Cisco ASA firewall.

Can you please share the configuration how to implement this setup.

 

It's a homework, isn't it?

There are multiple problems in that task:

1) Translating DNS-replys is not enough. You also need to translate the 10.1.1.0 network in both directions (Double-NAT).

2) The next part is that DNS-replies need to resolve to a different address. This is exactly an scenario in the referenced link which doesn't work easily on the ASA. For that, DNS-views can be configured on the DNS-server. With DNS-views, the server returns different A-records based on the source-IP of the query.

Thanks for the inputs karsten.

I understand the first step you mentioned we need to do the NAT in both directions.

Second step is very hard to understand to proceed.Reference link which you gave also not clear to do the config.

I will prepare the config and share you the same to you.Please review.

Please find below the config for your review.Please correct me if am wrong.The DNS NAT config is highlighted.My requirement is when user is access the server via hostname 192.168.1.5(abc.com) it should be natted to 10.10.20.5.

 

hostname ASA1
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address y.y.y.y 255.255.255.252
 no shut
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 no shut
!
object network inside-mapped-network
 subnet 10.10.10.0 255.255.255.0
!
object network inside-real-network
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) static inside-mapped-network
!
access-list CRYPTO_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!
route outside 10.10.20.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer 41.1.1.2
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!

 

hostname ASA2
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address Y.Y.Y.Y 255.255.255.252
 no shut
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 no shut
!
object network inside-mapped-network
 subnet 10.10.20.0 255.255.255.0
!
object network inside-real-network
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) static inside-mapped-network
!
 nat (inside,outside) source static 192.168.1.5 10.10.20.5 dns
!
policy-map global_policy
  class inspection_default 
    inspect dns

!
access-list CRYPTO_ACL extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
route outside 10.10.10.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer Y.Y.Y.Y
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!

Review Cisco Networking for a $25 gift card