Solved: Static NAT with DNS

mahesh18 · ‎06-22-2013

Hi everyone,

If we have following NAT config

ciscoasa(config)# static (inside,outsid) 200.x.x.x 192.168.69.10 netmask 255.255.255.255 dns

There is server inside the ASA network and we want to give http access to this server so that anyone from internet can access this server.

We have ACL also applied to the outside interface of ASA direction is inwards.

Need to know the result of dns command in the above config ?

What will be the result of putting dns command?

Regards

MAhesh

Jouni Forss · ‎06-22-2013

Hi,

The "dns" parameter in the "static" command doesnt really do anything to the hosts on the Internet that are trying to connect to the server for which you have the "static" configured for.

Its meant for the hosts on the LAN behind the ASA.

If you have this "dns" parameter in use for the server with "static" configured and that servers public IP address has a public DNS name THEN this "dns" parameter enables the user on the LAN behind the ASA able to use that name in the URL to connect to the server.

What this parameter will do is see that a host on the LAN has queried a public DNS server (or a DNS server behind another ASA interface) and when the reply from the DNS server comes back with the public IP address THEN the ASA notices that this public IP address is in its "static" configurations. The ASA will therefore change the public IP address in the DNS reply to the local IP address before the DNS reply gets to the hosts.

If you DIDNT have "dns" parameter in the above case then what would happen that the DNS server would return the public IP address to the host and the host would try connecting with the public IP address in the "static" command (instead of the above situations local IP address) This would cause the connection to fail as the ASA doesnt let you connect to a public IP address configured with "static" unless the host connecting to it is behind the interface which has the public IP address. (Unless you make a special NAT configuration to enable connecting to the public IP on the LAN interface also.

Hope I made any sense

Ask more though if something needs clarification.

- Jouni

View solution in original post

Jouni Forss · ‎06-22-2013

Hi,

Yes, if the server has a public DNS name like "www.example.com" that will return its public IP address to a user computer THEN the "dns" parameter will mean that the ASA will intercept the DNS reply that is coming from the DNS server. The ASA will essentially see the DNS reply and see that it contains the public IP address in it that is part of the "static" configuration with the "dns" parameter. It will therefore change the public IP address to the local IP address in the DNS reply before its forwarded to the user computer on the LAN.

This will essentially mean that even the local user is using a public DNS server which would reply with the public IP address that the ASA would intercept this DNS reply always and change the public IP address to the local IP address so that the connection succeeds.

As I said before, if we were to leave out the "dns" parameter THEN the ASA would not do anything to the DNS reply from the DNS server. Therefore the DNS reply that comes to the local user would hold the public IP address and the user would try to connect to that public IP address (instead of the local IP) and the connection would fail.

To give a rough explanation what happens

Local PC queries a public DNS server for the IP address of "www.example.com"
Public DNS replies to the Local PC
The ASA between the public DNS server and the local PC intercepts the DNS reply
The ASA sees the public IP address in the DNS reply is part of a "static" NAT configuration with a "dns" parameter.
The ASA will modify the DNS reply by replacing the public IP address with the local IP address found in the "static" command
The DNS reply is forwarded to the local PC and the local PC will connect to the server using the local IP address

And to further clarify, the "dns" parameter will naturally ONLY help with situations where your users are trying to access some of your local servers that have public DNS names.

It wont do anything for the hosts on the Internet that are trying to access your servers. First of all because the ASA doesnt have anything to do with their DNS traffic and naturally because the hosts on the Internet SHOULD naturally connect to the server with the public IP address.

- Jouni

View solution in original post

malshbou · ‎06-22-2013

Hi,

This DNS keyword results in intercepting DNS answers through ASA and rewrite the IP according to the static NAT configured. So, if a client in the inside network queries a DNS server in the outside ( e.g. the Internet) for the local server IP, the DNS response will originally hold the public IP of the server (since it is seen as public IP from the DNS server standpoint). The DNS keyword will rewrite/untranslate this public IP to the private one, which makes sense from the inside client perspective.

You need to make sure that DNS inspection policy exists, and nat-rewrite is enabled under that policy.

Hope this answers your question

---
Mashal Alshboul

------------------ Mashal Shboul

Jouni Forss · ‎06-22-2013

Hi,

The "dns" parameter in the "static" command doesnt really do anything to the hosts on the Internet that are trying to connect to the server for which you have the "static" configured for.

Its meant for the hosts on the LAN behind the ASA.

If you have this "dns" parameter in use for the server with "static" configured and that servers public IP address has a public DNS name THEN this "dns" parameter enables the user on the LAN behind the ASA able to use that name in the URL to connect to the server.

What this parameter will do is see that a host on the LAN has queried a public DNS server (or a DNS server behind another ASA interface) and when the reply from the DNS server comes back with the public IP address THEN the ASA notices that this public IP address is in its "static" configurations. The ASA will therefore change the public IP address in the DNS reply to the local IP address before the DNS reply gets to the hosts.

If you DIDNT have "dns" parameter in the above case then what would happen that the DNS server would return the public IP address to the host and the host would try connecting with the public IP address in the "static" command (instead of the above situations local IP address) This would cause the connection to fail as the ASA doesnt let you connect to a public IP address configured with "static" unless the host connecting to it is behind the interface which has the public IP address. (Unless you make a special NAT configuration to enable connecting to the public IP on the LAN interface also.

Hope I made any sense

Ask more though if something needs clarification.

- Jouni

mahesh18 · ‎06-22-2013

Hi Jouni,

First of all your way of explaining is very good its hard to find things explained by you in books.

When you say

servers public IP address has a public DNS name does this mean name is say syz.com?

THEN

this

"dns"

parameter enables the user on the LAN behind the ASA able to use that name in the URL to connect to the server.

Does this mean that user on the Lan uses name say syz.com to connect to the server?

When you say

What this parameter will do is see that a host on the LAN has queried a public DNS server (or a DNS server behind another ASA interface)

Does this mean that user has opened server url like syz.com?

I still have to understand last note.if i have more questions on this will ask you?

Regards

Mahesh

Jouni Forss · ‎06-22-2013

Hi,

Yes, if the server has a public DNS name like "www.example.com" that will return its public IP address to a user computer THEN the "dns" parameter will mean that the ASA will intercept the DNS reply that is coming from the DNS server. The ASA will essentially see the DNS reply and see that it contains the public IP address in it that is part of the "static" configuration with the "dns" parameter. It will therefore change the public IP address to the local IP address in the DNS reply before its forwarded to the user computer on the LAN.

This will essentially mean that even the local user is using a public DNS server which would reply with the public IP address that the ASA would intercept this DNS reply always and change the public IP address to the local IP address so that the connection succeeds.

As I said before, if we were to leave out the "dns" parameter THEN the ASA would not do anything to the DNS reply from the DNS server. Therefore the DNS reply that comes to the local user would hold the public IP address and the user would try to connect to that public IP address (instead of the local IP) and the connection would fail.

To give a rough explanation what happens

Local PC queries a public DNS server for the IP address of "www.example.com"
Public DNS replies to the Local PC
The ASA between the public DNS server and the local PC intercepts the DNS reply
The ASA sees the public IP address in the DNS reply is part of a "static" NAT configuration with a "dns" parameter.
The ASA will modify the DNS reply by replacing the public IP address with the local IP address found in the "static" command
The DNS reply is forwarded to the local PC and the local PC will connect to the server using the local IP address

And to further clarify, the "dns" parameter will naturally ONLY help with situations where your users are trying to access some of your local servers that have public DNS names.

It wont do anything for the hosts on the Internet that are trying to access your servers. First of all because the ASA doesnt have anything to do with their DNS traffic and naturally because the hosts on the Internet SHOULD naturally connect to the server with the public IP address.

- Jouni

mahesh18 · ‎06-23-2013

Hi Jouni,

You explained very well here.Now i understand the Concept much better now.

Best Regards

Mahesh