Configuring dns rewrite with two nat zones, Overview of dns rewrite with three nat zones, Configuring dns rewrite with – Cisco ASA 5505 User Manual

Page 880

43-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

DNS Inspection

Configuring DNS Rewrite with Two NAT Zones

To implement a DNS Rewrite scenario similar to the one shown in

Figure 43-1

, perform the following

steps:

Step 1

Create a static translation for the web server using the dns option. See

Chapter 30, “Configuring

Network Object NAT.”

Step 2

Create an access list that permits traffic to the port that the web server listens to for HTTP requests.

hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port

where the arguments are as follows:

acl-name—The name you give the access list.

mapped-address—The translated IP address of the web server.

port—The TCP port that the web server listens to for HTTP requests.

Step 3

Apply the access list created in

Step 2

to the mapped interface. To do so, use the access-group command,

as follows:

hostname(config)# access-group acl-name in interface mapped_ifc

Step 4

If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the

“Configuring a DNS Inspection Policy Map for Additional

Inspection Control” section on page 43-7

Step 5

On the public DNS server, add an A-record for the web server, such as:

domain-qualified-hostname. IN A mapped-address

where

domain-qualified-hostname

is the hostname with a domain suffix, as in server.example.com. The

period after the hostname is important. mapped-address is the translated IP address of the web server.

The following example configures the ASA for the scenario shown in

Figure 43-1

. It assumes DNS

inspection is already enabled.

hostname(config)# object network obj-192.168.100.1-01

hostname(config-network-object)# host 192.168.100.1

hostname(config-network-object)# nat (inside,outside) static 209.165.200.225 dns

hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www

hostname(config)# access-group 101 in interface outside

This configuration requires the following A-record on the DNS server:

server.example.com. IN A 209.165.200.225

Overview of DNS Rewrite with Three NAT Zones

Figure 43-2

provides a more complex scenario to illustrate how DNS inspection allows NAT to operate

transparently with a DNS server with minimal configuration. For configuration instructions for scenarios
like this one, see the

“Configuring DNS Rewrite with Three NAT Zones” section on page 43-6

This manual is related to the following products:

ASA 5585-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5515-X ASA 5512-X ASA 5580 ASA 5550 ASA 5540 ASA 5520 ASA 5510 ASA 5500 Series