Solved: Hi Nelson,Your requirements

Mmiselo · ‎11-26-2014

static (inside,outside) 41.200.80.184 41.200.80.184 netmask 255.255.255.248

static (inside,outside) tcp 41.200.80.189 53 41.200.80.190 53 netmask 255.255.255.255

I need to setup access to server 41.200.80.189 for DNS queries, but I don't want clients from outside to correct directly to 41.200.80.189. SO I want them to be redirected to 41.200.80.190. Then 41.200.80.190 will get the queries from 41.200.80.189 and send back the information.

1. So I need to know if this will work.

2. Whether the conflict in my static nats won't make this not to work since 41.200.80.189 and 41.200.80.190 are part of the range 41.200.80.184 255.255.255.248 in the other static. My understanding is that this shouldn't be a problem since the second static is only when the DNS port (53) is used ad the other static will be used for other traffic.

Regards

Nelson

Neeraj Arora · ‎11-28-2014

See my answers inline:

Nelson:Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.

Neeraj: NAT can only be used for masking the Ip address (source or destination). You are asking to change both the source as well as destination of a session/DNS query. Using the config above would not be able to accomplish this

Nelson: So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?

Neeraj: Yes, this is a reverse proxy requirement of yours. I am not sure if using Cisco ASA we can accomplish this. Other member might wanna pitch in to answer this. I would have suggested NATing the Source of the DNS query coming from Internet but when it comes to session management, I am not sure if ASA is the best device or not.

Nelson: If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT will change this ip to 41.200.80.189?

Neeraj: Yes correct

View solution in original post

Neeraj Arora · ‎11-26-2014

Hi Nelson,

Your requirements are achievable but this is the config which needs to be applied:

static (inside,outside) tcp 41.200.80.190 53 41.200.80.189 53 netmask 255.255.255.255

static (inside,outside) udp 41.200.80.190 53 41.200.80.189 53 netmask 255.255.255.255

static (inside,outside) 41.200.80.184 41.200.80.184 netmask 255.255.255.248

Explanation:

1. Public facing Ip needs to be specified before the Real Ip in the NAT command syntax

2. DNS generally use UDP port, so UDP Port translation is also required

3. Identity NAT or Dual-NAT statement should come last in the configuration order as static NAT will execute the statements chronologically

Note: I am assuming that you are using a code which is older than 8.3 on a Cisco ASA. There have been good amount of CLI changes which has happened starting from 8.3 version, especially in NAT commands. So you should look at that, personally I feel the new syntax is easier :)

HTH

Neeraj

Mmiselo · ‎11-26-2014

Hi Neeraj,

Thanks a lot for the response!

That means I can remove the config for tcp since DNS uses UDP.

Another question based on your response: The clients only know of 41.200.80.189 and they don't know of 41.200.80.190 in the back end. So they are connecting to 41.200.80.189, but the point is not to expose 41.200.80.189. They think they are connecting directly to 41.200.80.189, while they are redirected to 41.200.80.190.

Yes, we are running Software Version 7.0(7).

Regards

Nelson

Mmiselo · ‎11-27-2014

Just to make sure I'm clear, we don't have a problem that 41.200.80.189 is known on the internet. We have some vulnerabilities on the 41.200.80.189 server, therefore we want the internet clients to connect to 41.200.80.190 when they make their queries.So only 41.200.80.190 will be allowed to communicate with 41.200.80.189 to get the queries for the clients.

Neeraj Arora · ‎11-28-2014

it seems that you want the ASA/PIX to behave as a reverse proxy i.e 41.200.80.190 should initiate a connection with 41.200.80.189, which will not happen

The commands we discussed earlier will simply accomplish the following:

A user from Internet with a source Ip of let's say: x.x.x.x try to query your DNS server on 41.200.80.190. Because of the above NAT commands, ASA will translate the Destination Ip of this session from 41.200.80.190 to 41.200.80.189

Your Internal DNS server 41.200.80.189 will see a request with Source Ip as x.x.x.x and Destination Ip as 41.200.80.189

I hope this clarifies the traffic flow

Mmiselo · ‎11-28-2014

Hi Neeraj,

Thanks for the response:

Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.

So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?

If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT the traffic to 41.200.80.189?

Just a clarity on these two, then I think I'll be getting your point.

Regards

Nelson

Neeraj Arora · ‎11-28-2014

See my answers inline:

Nelson:Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.

Neeraj: NAT can only be used for masking the Ip address (source or destination). You are asking to change both the source as well as destination of a session/DNS query. Using the config above would not be able to accomplish this

Nelson: So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?

Neeraj: Yes, this is a reverse proxy requirement of yours. I am not sure if using Cisco ASA we can accomplish this. Other member might wanna pitch in to answer this. I would have suggested NATing the Source of the DNS query coming from Internet but when it comes to session management, I am not sure if ASA is the best device or not.

Nelson: If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT will change this ip to 41.200.80.189?

Neeraj: Yes correct

Mmiselo · ‎02-04-2015

Thanks a lot for your assistance!

IP redirect