Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3195
Views
0
Helpful
4
Replies

Remote VPN and DNS rewrite (doctoring) problem

Hans KRISTIAN LARSEN
Level 1
Level 1

‎01-26-2011 01:00 AM

Anyone

I have the following scenario

ASA5505 with some servers on the inside, I access the servers from outside with static NAT, use on offical IP per server, and just allow the neccesary ports, I do a DNS rewrite for access to servers by FQDN from the inside, all works fine.

With my LapTop i connect VPN with anyconnect client to the ASA, when I then try to access the inside server with FQDN, the IP's are rewritten to the outside adresses used in the above mentioned NAT statemens, thus preventing access to the inside servers (a xxxx.local domain)

How can I configure the VPN tunnel so that the DNS queries are not rewritten?

br

hkl

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-26-2011 03:33 AM

When you are resolving the DNS from within the network, the DNS query and reply goes through the ASA firewall. However, when you are connecting from the AnyConnect client, the DNS query/reply does not go through the ASA. It will go directly out to the internet, therefore, ASA does not rewrite the reply back with the private ip address because the DNS query itself does not go through the ASA.

0 Helpful

Hans KRISTIAN LARSEN
Level 1
Level 1
In response to Jennifer Halim

‎01-26-2011 04:37 AM 

halijenn wrote:
When you are resolving the DNS from within the network, the DNS query and reply goes through the ASA firewall. However, when you are connecting from the AnyConnect client, the DNS query/reply does not go through the ASA. It will go directly out to the internet, therefore, ASA does not rewrite the reply back with the private ip address because the DNS query itself does not go through the ASA.

Hello and thanks for your replay.

The VPN tunnel is configured with the primary DNS server as the server in the internal network (192.168.1.3), internal domain hkl.local.

Doing a nslookup from the LapTop across the vpn tunnel to a server named hkl-whs-01.hkl.local shows the following:

As you can see the dns server responding is the internal server, however the internal address of hkl-whs-01.hkl.local is 192.168.1.50

When I nslookup the hkl-whs-01.hkl.local from a machine sitting on the internal LAN the response is correct, thus there has to be the asa rewriting the dns.

For info I using split tunneling on the vpn.

For testing I removed the dns xlate from the NAT rule, then everything works ok accross the vpn.

br

hkl

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Hans KRISTIAN LARSEN

‎01-26-2011 05:30 AM

Yes, the reason why it's performing the DNS rewrite is because the VPN client is connected on the outside, and DNS rewrite happens when the DNS packet crosses the firewall. Because the reply is going to a host outside the ASA, it rewrites it as if it's a request from the Internet. Essentially DNS request from the Internet or from the VPN is the same because it's from the outside interface.

What about if you configure the "dns" keyword on the NAT exemption statement:

nat (inside) 0 access-list dns

0 Helpful

jumora
Level 7
Level 7
In response to Jennifer Halim

‎04-03-2014 02:37 PM

Easy, all you need to do is reconfigure the dns inspection so that it will exclude the VPN network from going through the doctoring.

DNS Doctoring requires configuration of Network Address Translation (NAT) on the ASA, as well as enablement of the DNS inspection.

The inspection for DNS is applied normally on a default MPF configuration which is used in the default global policy, it's special CLI shortcut to match the default ports for all inspections.

This is the default MPF:

 

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512

 

policy-map global_policy

 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options

service-policy global_policy global

Here is how to exclude it:

enable

config t

access-list Doctoring deny udp <vpn_network> <netmask> any eq 53

access-list Doctoring deny udp any eq 53 <vpn_network> <netmask>

access-list Doctoring permit udp any any eq 53

class-map Doctoring

 match access-list Doctoring

policy-map global_policy

 class inspection_default
no  inspect dns preset_dns_map
exit

class Doctoring

  inspect dns preset_dns_map

 

Have fun!!!!

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents