11-26-2014 01:43 AM - edited 03-05-2019 12:14 AM
static (inside,outside) 41.200.80.184 41.200.80.184 netmask 255.255.255.248
static (inside,outside) tcp 41.200.80.189 53 41.200.80.190 53 netmask 255.255.255.255
I need to setup access to server 41.200.80.189 for DNS queries, but I don't want clients from outside to correct directly to 41.200.80.189. SO I want them to be redirected to 41.200.80.190. Then 41.200.80.190 will get the queries from 41.200.80.189 and send back the information.
1. So I need to know if this will work.
2. Whether the conflict in my static nats won't make this not to work since 41.200.80.189 and 41.200.80.190 are part of the range 41.200.80.184 255.255.255.248 in the other static. My understanding is that this shouldn't be a problem since the second static is only when the DNS port (53) is used ad the other static will be used for other traffic.
Regards
Nelson
Solved! Go to Solution.
11-28-2014 03:23 AM
See my answers inline:
Nelson:Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.
Neeraj: NAT can only be used for masking the Ip address (source or destination). You are asking to change both the source as well as destination of a session/DNS query. Using the config above would not be able to accomplish this
Nelson: So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?
Neeraj: Yes, this is a reverse proxy requirement of yours. I am not sure if using Cisco ASA we can accomplish this. Other member might wanna pitch in to answer this. I would have suggested NATing the Source of the DNS query coming from Internet but when it comes to session management, I am not sure if ASA is the best device or not.
Nelson: If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT will change this ip to 41.200.80.189?
Neeraj: Yes correct
11-26-2014 04:14 AM
Hi Nelson,
Your requirements are achievable but this is the config which needs to be applied:
static (inside,outside) tcp 41.200.80.190 53 41.200.80.189 53 netmask 255.255.255.255
static (inside,outside) udp 41.200.80.190 53 41.200.80.189 53 netmask 255.255.255.255
static (inside,outside) 41.200.80.184 41.200.80.184 netmask 255.255.255.248
Explanation:
1. Public facing Ip needs to be specified before the Real Ip in the NAT command syntax
2. DNS generally use UDP port, so UDP Port translation is also required
3. Identity NAT or Dual-NAT statement should come last in the configuration order as static NAT will execute the statements chronologically
Note: I am assuming that you are using a code which is older than 8.3 on a Cisco ASA. There have been good amount of CLI changes which has happened starting from 8.3 version, especially in NAT commands. So you should look at that, personally I feel the new syntax is easier :)
HTH
Neeraj
11-26-2014 10:01 PM
Hi Neeraj,
Thanks a lot for the response!
That means I can remove the config for tcp since DNS uses UDP.
Another question based on your response: The clients only know of 41.200.80.189 and they don't know of 41.200.80.190 in the back end. So they are connecting to 41.200.80.189, but the point is not to expose 41.200.80.189. They think they are connecting directly to 41.200.80.189, while they are redirected to 41.200.80.190.
Yes, we are running Software Version 7.0(7).
Regards
Nelson
11-27-2014 11:59 PM
Just to make sure I'm clear, we don't have a problem that 41.200.80.189 is known on the internet. We have some vulnerabilities on the 41.200.80.189 server, therefore we want the internet clients to connect to 41.200.80.190 when they make their queries.So only 41.200.80.190 will be allowed to communicate with 41.200.80.189 to get the queries for the clients.
11-28-2014 01:25 AM
it seems that you want the ASA/PIX to behave as a reverse proxy i.e 41.200.80.190 should initiate a connection with 41.200.80.189, which will not happen
The commands we discussed earlier will simply accomplish the following:
A user from Internet with a source Ip of let's say: x.x.x.x try to query your DNS server on 41.200.80.190. Because of the above NAT commands, ASA will translate the Destination Ip of this session from 41.200.80.190 to 41.200.80.189
Your Internal DNS server 41.200.80.189 will see a request with Source Ip as x.x.x.x and Destination Ip as 41.200.80.189
I hope this clarifies the traffic flow
11-28-2014 02:00 AM
Hi Neeraj,
Thanks for the response:
Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.
So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?
If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT the traffic to 41.200.80.189?
Just a clarity on these two, then I think I'll be getting your point.
Regards
Nelson
11-28-2014 03:23 AM
See my answers inline:
Nelson:Users from the internet only know about 41.200.80.189, hence they can't connect directly to 41.200.80.190. So we were hoping that users can still connect to 41.200.80.189, then their traffic will be redirected to 41.200.80.190 through Nat Commands. Then our DNS server 41.200.80.189 will see a request from 41.200.80.190, then 41.200.80.190 response back to the user, but the user will still see the response as if it's coming from 41.200.80.189.
Neeraj: NAT can only be used for masking the Ip address (source or destination). You are asking to change both the source as well as destination of a session/DNS query. Using the config above would not be able to accomplish this
Nelson: So is this the scenario that you referring that I want the ASA/PIX to behave as a reverse proxy and that it won't happen?
Neeraj: Yes, this is a reverse proxy requirement of yours. I am not sure if using Cisco ASA we can accomplish this. Other member might wanna pitch in to answer this. I would have suggested NATing the Source of the DNS query coming from Internet but when it comes to session management, I am not sure if ASA is the best device or not.
Nelson: If I understand you well, the traffic you explained means that the NAT commands we specified above will only work if we were to allow users to connect to 41.200.80.190 and then NAT will change this ip to 41.200.80.189?
Neeraj: Yes correct
02-04-2015 05:12 AM
Thanks a lot for your assistance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide