ASA DNS doctoring with 4 NAT interfaces

Unanswered Question
Mar 7th, 2008
User Badges:

I've got two DMZs. DMZ1 has the web server with security level 50. DMZ2 is a guest wireless network with security level 10. DNS points to outside. DNS doctoring works fine from the inside for the web server (i.e. when an inside user browses to http://www.company.com, they get the real, untranslated IP). But for users in DMZ2, it doesn't work since DMZ2 has a lower security level than DMZ1. If I create an inbound access list on DMZ2 to allow access to the DMZ1 web server, the implict rule to allow guests to browse the Web obviously is lost.


I reaize one option is to use the following inbound rules on dmz2:

1. Allow any to dmz1 web server for specific services

2. Deny any to inside and dmz1 for all

3. Allow any to any for web browsing


I'm trying to see if there's any other way to do this and keep the implicit "permit all to less secure network". Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 03/07/2008 - 09:09
User Badges:
  • Green, 3000 points or more

"If I create an inbound access list on DMZ2 to allow access to the DMZ1 web server, the implict rule to allow guests to browse the Web obviously is lost."


Why? Couldn't you just do like...


access-list dmz2-in extended permit tcp eq 80

access-list dmz2-in extended deny ip

access-list dmz2-in extended permit ip any any


Also, you could use destination nat to access www.company.com from dmz2.


nat (dmz1,dmz2) netmask 255.255.255.255

milee1420 Fri, 03/07/2008 - 09:32
User Badges:

Thanks Adam. Your first suggestion is basically what I am doing (I edited my original post - you must have responded before the edit). As for destination nat, I'm assuming you meant static (dmz1,dmz2). Even if I were to use destination nat instead of doctoring, wouldn't I still need the access lists, since dmz2 is of lower security level than dmz1?

acomiskey Fri, 03/07/2008 - 09:49
User Badges:
  • Green, 3000 points or more

Oops, yes I meant static, haha.


Sure you would still need the acl.

milee1420 Fri, 03/07/2008 - 09:53
User Badges:

You had typed nat (dmz1,dmz2) - I wanted make sure there wasn't some other way to do this than static.


Thanks for the input.

acomiskey Fri, 03/07/2008 - 09:54
User Badges:
  • Green, 3000 points or more

Ya, i tried to edit it but it's too late.

Actions

This Discussion