Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
8
Helpful
4
Replies

DNS rewrite issue

Marius Gunnerud
VIP
VIP

‎06-29-2012 01:50 AM - edited ‎03-11-2019 04:24 PM

I am having a little bit of an issue getting DNS rewrite working for a client.

Their setup:

They have one ASA 5520 version 8.2(2) with several subinterfaces on the inside interface.  the guest network which is on the 10.10.0.0/24 network is not allowed to reach any hosts on the 10.11.0.0/22 network (which includes the servers). They have some servers on the DMZ which they want hosts on the guest network to be able to reach using the external IP.  I have set up DNS rewrite and have made sure that DNS inspection is enabled on the global inspect policy.

Do I still need to create access rules to allow the 10.10.0.0 network to reach the server at 10.11.0.1?

Any help in getting this up and working is greatly appreciated.

Thanks.

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎06-29-2012 02:00 AM

Hi,

If I understood the situation correctly, then theres servers on the DMZ that have static NAT translations towards outside networks and you want to access those servers with the public IP address from behind the firewall from another interface.

To my knowledge you can only do this if you also NAT the servers with the public IP address towards that interface too. Naturally you will also need the access rules allowing the traffic to that public IP address. Though this situation might cause problems if some hosts on that same interface need access to that host with its private IP address also. (That can probably be corrected with Static Policy NAT though)

OR

If your Guest network hosts access the server with the DNS name and if you have a local DNS server you change the DNS name to point towards the local IP of that server. Naturally you also need the access rule for that private IP address.

OR

If you are using a public DNS server on the Internet you should have the "dns" parameter in the static NAT translation for the DMZ server. In this case when the host on the Guest network asks the public DNS server for the IP address corresponding to the DNS name, the ASA should rewrite the DNS reply so your Guest user would actually be connecting to the private IP address of the DMZ server. Again you need the access rule for the private IP address.

Dont know if I understood you correctly but this is a pretty usual problem/situation in some customer setups atleast.

- Jouni

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jouni Forss

‎06-29-2012 02:40 AM

Hi Jouni,

Yes I have configured DNS rewrite (the DNS parameter on the static NAT) as they are using an external DNS server for the guest network.  So it looks as though a ACL rule between the private addresses is needed then. 

But since the hosts are sending with a destination of a public address, would this be an outbound rule on the DMZ interface? or a regulare permit 10.10 to 10.11 on the guestnetworkinterface?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Karsten Iwen
VIP
VIP
In response to Marius Gunnerud

‎06-29-2012 02:51 AM

First you need an ACL allowing the communication on the guestnetwork-interface. But your statement "since the hosts are sending with a destination of a public address" is a little bit confising. The clients should send the packets with the real (private) address of the server. That's what happens with the DNS-Rewrite:

1) Client on guestnet sends a DNS-request for www.example.com to public DNS.

2) Public DNS responds with the public IP of 192.0.2.80.

3) The response is processed by the ASA. As there is a translation for the DMZ-server (i.e. 10.10.10.80 -> 192.0.2.80), the DNS-Response is translated to 10.10.10.80.

4) The client gets the DNS-response with the DNS-A-record set to 10.10.10.80.

5) The client initiates the connection to 10.10.10.80

6) The ASA receives the connection to 10.10.10.80 and needs to have a permitting ACE for this traffic and a translation rule (probably NAT-Exemtion).

Jouni Forss
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎06-29-2012 02:52 AM

Hi,

To my understanding the situation goes like this:

- Host on Guest networks sends a DNS query to public DNS server

- Public DNS replies and the reply arrives on the ASA

- ASA sees that the reply has the public NAT IP configured on the ASA

- ASA changes the DNS reply to return the actual private IP address in the DNS reply to the actual host that did the original DNS query

- The Guest networks host connects to the private IP address

So you should have the traffic allowed between the private/local IP addresses on the ASA. Host -> Server on and inbount direction on the guest networks interface

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card