DNS Server Redirects?

Answered Question
May 18th, 2009
User Badges:
  • Purple, 4500 points or more

All,


I have about 100 servers in a DMZ. We did our 2nd phase firewall test this weekend, and I found out that all of the servers in the DMZ are set to look at the firewall's DMZ interface for DNS. The old firewall was a Symantec SGS that did DNS forwarding, so the client could set up their DNS settings to point to the firewall instead of an actual DNS server.


I also found out that there are several hundred people that have their proxy server set up in IE as the firewall's ip address and the port is 80. My questions are this:


a.) Is there any way to do a redirect in the ASA for any DNS requests coming in on the DMZ interface, to another server either inbound our outbound? Can I use nat for something like this?


b.) Is there ANY way to be able to configure the ASA to act as a proxy besides cut-through? I just want the request that comes in on port 80 to be allowed out, but I think the ASA is seeing this has web management port, and drops the traffic. (I'm probably wrong on that one.)


Thanks,

John

Correct Answer by handsy about 7 years 10 months ago

a) infact you must use NAT, e.g.


static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns


The 'dns' keyword is the magic here :)


b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
handsy Mon, 05/18/2009 - 06:06
User Badges:

a) infact you must use NAT, e.g.


static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns


The 'dns' keyword is the magic here :)


b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire

John Blakley Mon, 05/18/2009 - 06:17
User Badges:
  • Purple, 4500 points or more

One problem that I see is that I can't assign a static to an address that's used on the interface.


DMZ1: 10.45.136.66/24


Inside: 10.50.50.54


DNS server on the inside: 10.50.50.251


Would my static look like:


static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns


Would this work, and would anything get screwed up by this?


John


handsy Mon, 05/18/2009 - 06:33
User Badges:

So are the DMZ servers pointing at 10.50.50.251 for DNS, or is that the address you want them to get to?


Example:

DMZ servers currently pointing at 10.2.3.4

DMZ servers need to be using 10.50.50.251


static (inside, dmz1) 10.2.3.4 10.50.50.251 netmask 255.255.255.255 dns



This article may help you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml



Hope I'm helping, and not hindering? :-)

John Blakley Mon, 05/18/2009 - 06:37
User Badges:
  • Purple, 4500 points or more

That's what I want them to get to, but the "server" that they are pointing to is the interface on the ASA.


So I'm thinking that it "could" be:


static (inside,dmz1) interface 10.50.50.251 netmask 255.255.255.255 dns


With the above static, will that hurt our normal DNS on this inside? It should only affect traffic coming in on the dmz1 interface, right?


John

handsy Mon, 05/18/2009 - 06:41
User Badges:

Looks good, but personally I would want to test that out-of-hours before deploying.


Let us know how you get on :)

John Blakley Mon, 05/18/2009 - 07:00
User Badges:
  • Purple, 4500 points or more

Dude....it works.... :)


I have a personal at the house that I can test things on. I VPN in from the office and remote into a box at the house. I set up the workstation to point to my ASA as the dns server. When I use the dns tag for doctoring, it says that ALL traffic will be redirected, so instead I did this (and it works too).


static (outside,inside) udp interface 53 4.2.2.1 53 netmask 255.255.255.255


That forwarded all of my traffic to 4.2.2.1, and I was able to get on the internet. That rocks :)


Thanks,

John

handsy Mon, 05/18/2009 - 08:30
User Badges:

Awesome! Glad you got it working :)

Actions

This Discussion