06-29-2012 01:50 AM - edited 03-11-2019 04:24 PM
I am having a little bit of an issue getting DNS rewrite working for a client.
Their setup:
They have one ASA 5520 version 8.2(2) with several subinterfaces on the inside interface. the guest network which is on the 10.10.0.0/24 network is not allowed to reach any hosts on the 10.11.0.0/22 network (which includes the servers). They have some servers on the DMZ which they want hosts on the guest network to be able to reach using the external IP. I have set up DNS rewrite and have made sure that DNS inspection is enabled on the global inspect policy.
Do I still need to create access rules to allow the 10.10.0.0 network to reach the server at 10.11.0.1?
Any help in getting this up and working is greatly appreciated.
Thanks.
06-29-2012 02:00 AM
Hi,
If I understood the situation correctly, then theres servers on the DMZ that have static NAT translations towards outside networks and you want to access those servers with the public IP address from behind the firewall from another interface.
To my knowledge you can only do this if you also NAT the servers with the public IP address towards that interface too. Naturally you will also need the access rules allowing the traffic to that public IP address. Though this situation might cause problems if some hosts on that same interface need access to that host with its private IP address also. (That can probably be corrected with Static Policy NAT though)
OR
If your Guest network hosts access the server with the DNS name and if you have a local DNS server you change the DNS name to point towards the local IP of that server. Naturally you also need the access rule for that private IP address.
OR
If you are using a public DNS server on the Internet you should have the "dns" parameter in the static NAT translation for the DMZ server. In this case when the host on the Guest network asks the public DNS server for the IP address corresponding to the DNS name, the ASA should rewrite the DNS reply so your Guest user would actually be connecting to the private IP address of the DMZ server. Again you need the access rule for the private IP address.
Dont know if I understood you correctly but this is a pretty usual problem/situation in some customer setups atleast.
- Jouni
06-29-2012 02:40 AM
Hi Jouni,
Yes I have configured DNS rewrite (the DNS parameter on the static NAT) as they are using an external DNS server for the guest network. So it looks as though a ACL rule between the private addresses is needed then.
But since the hosts are sending with a destination of a public address, would this be an outbound rule on the DMZ interface? or a regulare permit 10.10 to 10.11 on the guestnetworkinterface?
06-29-2012 02:51 AM
First you need an ACL allowing the communication on the guestnetwork-interface. But your statement "since the hosts are sending with a destination of a public address" is a little bit confising. The clients should send the packets with the real (private) address of the server. That's what happens with the DNS-Rewrite:
1) Client on guestnet sends a DNS-request for www.example.com to public DNS.
2) Public DNS responds with the public IP of 192.0.2.80.
3) The response is processed by the ASA. As there is a translation for the DMZ-server (i.e. 10.10.10.80 -> 192.0.2.80), the DNS-Response is translated to 10.10.10.80.
4) The client gets the DNS-response with the DNS-A-record set to 10.10.10.80.
5) The client initiates the connection to 10.10.10.80
6) The ASA receives the connection to 10.10.10.80 and needs to have a permitting ACE for this traffic and a translation rule (probably NAT-Exemtion).
06-29-2012 02:52 AM
Hi,
To my understanding the situation goes like this:
- Host on Guest networks sends a DNS query to public DNS server
- Public DNS replies and the reply arrives on the ASA
- ASA sees that the reply has the public NAT IP configured on the ASA
- ASA changes the DNS reply to return the actual private IP address in the DNS reply to the actual host that did the original DNS query
- The Guest networks host connects to the private IP address
So you should have the traffic allowed between the private/local IP addresses on the ASA. Host -> Server on and inbount direction on the guest networks interface
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide