01-26-2011 01:00 AM
Anyone
I have the following scenario
ASA5505 with some servers on the inside, I access the servers from outside with static NAT, use on offical IP per server, and just allow the neccesary ports, I do a DNS rewrite for access to servers by FQDN from the inside, all works fine.
With my LapTop i connect VPN with anyconnect client to the ASA, when I then try to access the inside server with FQDN, the IP's are rewritten to the outside adresses used in the above mentioned NAT statemens, thus preventing access to the inside servers (a xxxx.local domain)
How can I configure the VPN tunnel so that the DNS queries are not rewritten?
br
hkl
01-26-2011 03:33 AM
When you are resolving the DNS from within the network, the DNS query and reply goes through the ASA firewall. However, when you are connecting from the AnyConnect client, the DNS query/reply does not go through the ASA. It will go directly out to the internet, therefore, ASA does not rewrite the reply back with the private ip address because the DNS query itself does not go through the ASA.
01-26-2011 04:37 AM
halijenn wrote:
When you are resolving the DNS from within the network, the DNS query and reply goes through the ASA firewall. However, when you are connecting from the AnyConnect client, the DNS query/reply does not go through the ASA. It will go directly out to the internet, therefore, ASA does not rewrite the reply back with the private ip address because the DNS query itself does not go through the ASA.
Hello and thanks for your replay.
The VPN tunnel is configured with the primary DNS server as the server in the internal network (192.168.1.3), internal domain hkl.local.
Doing a nslookup from the LapTop across the vpn tunnel to a server named hkl-whs-01.hkl.local shows the following:
As you can see the dns server responding is the internal server, however the internal address of hkl-whs-01.hkl.local is 192.168.1.50
When I nslookup the hkl-whs-01.hkl.local from a machine sitting on the internal LAN the response is correct, thus there has to be the asa rewriting the dns.
For info I using split tunneling on the vpn.
For testing I removed the dns xlate from the NAT rule, then everything works ok accross the vpn.
br
hkl
01-26-2011 05:30 AM
Yes, the reason why it's performing the DNS rewrite is because the VPN client is connected on the outside, and DNS rewrite happens when the DNS packet crosses the firewall. Because the reply is going to a host outside the ASA, it rewrites it as if it's a request from the Internet. Essentially DNS request from the Internet or from the VPN is the same because it's from the outside interface.
What about if you configure the "dns" keyword on the NAT exemption statement:
nat (inside) 0 access-list
04-03-2014 02:37 PM
Easy, all you need to do is reconfigure the dns inspection so that it will exclude the VPN network from going through the doctoring.
DNS Doctoring requires configuration of Network Address Translation (NAT) on the ASA, as well as enablement of the DNS inspection.
The inspection for DNS is applied normally on a default MPF configuration which is used in the default global policy, it's special CLI shortcut to match the default ports for all inspections.
This is the default MPF:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
Here is how to exclude it:
enable
config t
access-list Doctoring deny udp <vpn_network> <netmask> any eq 53
access-list Doctoring deny udp any eq 53 <vpn_network> <netmask>
access-list Doctoring permit udp any any eq 53
class-map Doctoring
match access-list Doctoring
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
exit
class Doctoring
inspect dns preset_dns_map
Have fun!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide