Solved: DNS Server Redirects?

John Blakley · ‎05-18-2009

All,

I have about 100 servers in a DMZ. We did our 2nd phase firewall test this weekend, and I found out that all of the servers in the DMZ are set to look at the firewall's DMZ interface for DNS. The old firewall was a Symantec SGS that did DNS forwarding, so the client could set up their DNS settings to point to the firewall instead of an actual DNS server.

I also found out that there are several hundred people that have their proxy server set up in IE as the firewall's ip address and the port is 80. My questions are this:

a.) Is there any way to do a redirect in the ASA for any DNS requests coming in on the DMZ interface, to another server either inbound our outbound? Can I use nat for something like this?

b.) Is there ANY way to be able to configure the ASA to act as a proxy besides cut-through? I just want the request that comes in on port 80 to be allowed out, but I think the ASA is seeing this has web management port, and drops the traffic. (I'm probably wrong on that one.)

Thanks,

John

HTH, John *** Please rate all useful posts ***

handsy · ‎05-18-2009

a) infact you must use NAT, e.g.

static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

The 'dns' keyword is the magic here :)

b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire

View solution in original post

handsy · ‎05-18-2009

a) infact you must use NAT, e.g.

static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns

The 'dns' keyword is the magic here :)

b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire

John Blakley · ‎05-18-2009

One problem that I see is that I can't assign a static to an address that's used on the interface.

DMZ1: 10.45.136.66/24

Inside: 10.50.50.54

DNS server on the inside: 10.50.50.251

Would my static look like:

static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns

Would this work, and would anything get screwed up by this?

John

HTH, John *** Please rate all useful posts ***

handsy · ‎05-18-2009

So are the DMZ servers pointing at 10.50.50.251 for DNS, or is that the address you want them to get to?

Example:

DMZ servers currently pointing at 10.2.3.4

DMZ servers need to be using 10.50.50.251

static (inside, dmz1) 10.2.3.4 10.50.50.251 netmask 255.255.255.255 dns

This article may help you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hope I'm helping, and not hindering? :-)

John Blakley · ‎05-18-2009

That's what I want them to get to, but the "server" that they are pointing to is the interface on the ASA.

So I'm thinking that it "could" be:

static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns

With the above static, will that hurt our normal DNS on this inside? It should only affect traffic coming in on the dmz1 interface, right?

John

HTH, John *** Please rate all useful posts ***

handsy · ‎05-18-2009

Looks good, but personally I would want to test that out-of-hours before deploying.

Let us know how you get on :)

John Blakley · ‎05-18-2009

Dude....it works.... :)

I have a personal at the house that I can test things on. I VPN in from the office and remote into a box at the house. I set up the workstation to point to my ASA as the dns server. When I use the dns tag for doctoring, it says that ALL traffic will be redirected, so instead I did this (and it works too).

static (outside,inside) udp interface 53 4.2.2.1 53 netmask 255.255.255.255

That forwarded all of my traffic to 4.2.2.1, and I was able to get on the internet. That rocks :)

Thanks,

John

HTH, John *** Please rate all useful posts ***

handsy · ‎05-18-2009

Awesome! Glad you got it working :)