DNS doctoring porblem in ASA 5510

Unanswered Question
Apr 8th, 2009
User Badges:

Greetings,

I am configuring an ASA 5510 with firmware version 8.0(4). In my setup, I have a routable IP assigned to the outside/wan interface (security level 0) and 192.168.0.0/255.255.0.0 block on one interface (security level is 100 and name is inside) and a 10.10.10.0/255.255.255.0 block on another interface (security level is 10 and and name is guest_wl).


I have a server (IP is 192.168.50.10 and it is in the 192.168.0.0 block) that is accessed from outside as well as from the 10.10.10.0 block on tcp ports 993 and HTTPS. The DNS servers are outside and the hostname is assigned to the outside interface IP of the ASA. The outside interface IP is mapped to the server's IP using static PAT:


static (inside,wan) tcp interface https 192.168.50.10 https netmask 255.255.255.255 dns

static (inside,wan) tcp interface 993 192.168.50.10 993 netmask 255.255.255.255 dns


Access from ouside on both ports works fine. And I have setup the rules for accessing the server from the 10.10.10.0 block and I can access the server using the IP (192.168.50.10) address. But, when I try to ping the hostname of the server from a machine in the 10.10.10.0 block, it resolves to the outside interface IP. According to the documentation on DNS doctoring, I should be resolving to the internal server IP.


I would greatly appreciate any ideas on what I could have done wrong here. Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
focusincadmin Fri, 04/10/2009 - 08:53
User Badges:

Hmmm, I hope this is not that tough a question ... Cisco's documentation seems to be pretty clear about how to go about this, but it just didn't work.

sdoremus33 Fri, 04/10/2009 - 10:21
User Badges:
  • Bronze, 100 points or more

So if both the DNS server and the hostname are on the outside try this



static (wan,inside)tcp 192.168.50.10 https interface https netmask 255.255.255.255 dns

static (wan,inside)tcp 192.168.50.10 993 interface 993 netmask 255.255.255.255 dns

focusincadmin Fri, 04/10/2009 - 11:18
User Badges:

Hi, thank you for your reply. I tried both commands, and for both, I get the follwoing error message:


ERROR: % Invalid Hostname

sdoremus33 Fri, 04/10/2009 - 12:04
User Badges:
  • Bronze, 100 points or more

If it is no trouble could you post your current config on the ASA device. Thanks

sdoremus33 Sat, 04/11/2009 - 09:32
User Badges:
  • Bronze, 100 points or more

Am I correct in assuming the following information

1> So you have an ASA with (3) Interfaces as follows

1. Inside (Sec 100) @ 192.168.0.0/16 Block

2. Guest_WL (Sec 10) @ 10.10.10.0/ 24 Block

3. Outside interface (That has a publicly routable IP Address).

4. The DNS Server is located on the outside of the ASA

5. The hostname you are attempring to access is actually Pat(d) to the actual outside interface ip address.


So when you try to ping the hostname from a device in the 10.10.10.0 (Guest_WL) area it returns the physical outside ip address of the host ,correct.

Here is an interesting article that will help you with this particular problem.


https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

focusincadmin Sun, 04/12/2009 - 11:04
User Badges:

Hi,

Thanks for the reply. I have read that article and when setting up my machine, I followed its instructions. That's what makes this problem so frustrating :-)


Your assumptions are correct. Here's my config. Please let me know if you have any questions.


fw# show run static

static (inside,wan) tcp interface 993 192.168.50.10 993 netmask 255.255.255.255 dns

static (inside,wan) tcp interface https 192.168.50.10 https netmask 255.255.255.255 dns

static (inside,dmz_vj) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,dmz_vj) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (inside,guest_wl) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,guest_wl) 192.168.50.10 192.168.50.10 netmask 255.255.255.255 dns


fw# show run nat

nat (inside) 0 access-list inside_to_dmz

nat (inside) 10 192.168.0.0 255.255.0.0

nat (guest_wl) 10 10.10.10.0 255.255.255.0

fw#


fw# show run global

global (wan) 10 interface


fw# show ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0/0 wan 40.40.40.78 255.255.255.252 CONFIG

Ethernet0/1 dmz 50.50.50.126 255.255.255.240 CONFIG

Ethernet0/2 inside 192.168.250.254 255.255.255.0 CONFIG

Ethernet0/2.230 dmz_vj 60.60.60.198 255.255.255.248 CONFIG

Ethernet0/2.240 guest_wl 10.10.10.254 255.255.255.0 CONFIG

Management0/0 management 192.168.1.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0/0 wan 40.40.40.78 255.255.255.252 CONFIG

Ethernet0/1 dmz 50.50.50.126 255.255.255.240 CONFIG

Ethernet0/2 inside 192.168.250.254 255.255.255.0 CONFIG

Ethernet0/2.230 dmz_vj 60.60.60.198 255.255.255.248 CONFIG

Ethernet0/2.240 guest_wl 10.10.10.254 255.255.255.0 CONFIG

Management0/0 management 192.168.1.1 255.255.255.0 CONFIG

fw#


fw# show run access-list | grep inside_to_dmz

access-list inside_to_dmz extended permit ip 192.168.0.0 255.255.0.0 50.50.50.112 255.255.255.240

access-list inside_to_dmz extended permit ip any 192.168.250.0 255.255.255.0






sachinga.hcl Sun, 04/12/2009 - 17:59
User Badges:
  • Silver, 250 points or more

HI Dear,

Have you checked if DNS inspection enabled.


Please remember DNS inspection must be enabled in order to perform DNS doctoring on the security appliance. DNS inspection is on by default. However, if it has been turned off, please re-enable it first of all.


Also note that DNS doctoring is enabled when you add the dns keyword to a static NAT statement.


As you know that In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client(Provides Public IP as in your case it is 192.168.x.y) as DNS server is outide the LAN.


While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.


In this scenario, the client is located on the inside interface of the ASA(192.168.x.y). The WWW server that the client tries to reach is located on the dmz interface of the ASA(10.10.x.y).


Dynamic PAT is configured to allow the client access to the Internet. Static NAT with an access-list is configured to allow the server access to the Internet, as well as allow Internet hosts to access the WWW server.


In this case, the client at 192.168.x.y wants to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at Routable IP addresses which you have assigned to the outside/WAN interface I think 40.40.40.78 or something in this range.

. Because the DNS server is located on another public network, it does not know the private IP address of the WWW server(something in the range 10.10.x.y or I think 10.10.10.10). Instead, it knows the WWW server mapped address of wan range ie. 40.40.40.x or something like this.

Thus, the DNS server contains the IP-address-to-name mapping of server.example.com to 40.40.40.x.



Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of WWW server using its name , it is unable to access the WWW server. This is because the client receives an A-record that contains the mapped public address of 40.40.40.x for the WWW server. When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.



So make smoe classmaps(kind of traffic of your interest) , policy maps(what action you want to take on this class map interseted traffic) and then apply policymaps to service-policy(attach it to the interface).



Here is an example as follows:


class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Kindly find the reference document for 3 interfaces as follows:

PIX/ASA: Perform DNS Doctoring with the static Command and Three NAT Interfaces Configuration Example


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope your problem resolve this time.


Best Regards,

Sachin




focusincadmin Mon, 04/13/2009 - 06:24
User Badges:

Hi Sachin,

Thank you for your reply. Yes, my config matches what you have posted exactly. Here's my config:


class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global


I referenced the Cisco document that you mention when setting up my config. Which is why I am very puzzled why it is not working. The only exception I can see is that the document uses static NAT and I have used static PAT (my config is attached to a previous reply).



sdoremus33 Mon, 04/13/2009 - 10:32
User Badges:
  • Bronze, 100 points or more

Hi Eric,


Still pondering over your problem. I have one idea. If you have any addresses to use in the outside address range of 40.40.40.x I believe it was, you could try this instead of Pat your inside host 192.168.50.10 you could try a static Nat

so for eample you could for testing purposes keep the Nat control statement for all inside traffic except the .50.10 address

so

static (inside,outside) 40.40.40.x 192.168.50.10 netmask 255.255.255.255

where x is a number within the 40 range

Then apply that tou your config instead of Pat.

I think the problem is with the way Pat works with the return DNS rewrite. HTH

focusincadmin Mon, 04/13/2009 - 10:53
User Badges:

Hi,

Thanks for the reply. Right now I am afraid I don't have any extra IP addresses in that subnet. I will have to apply for and get extra IPs from my ISP.


I was wondering about that, since the only change from the Cisco docs that I was making was to use static PAT instead of static NAT.


Thanks for your help.



Actions

This Discussion