- Purple, 4500 points or more
I have about 100 servers in a DMZ. We did our 2nd phase firewall test this weekend, and I found out that all of the servers in the DMZ are set to look at the firewall's DMZ interface for DNS. The old firewall was a Symantec SGS that did DNS forwarding, so the client could set up their DNS settings to point to the firewall instead of an actual DNS server.
I also found out that there are several hundred people that have their proxy server set up in IE as the firewall's ip address and the port is 80. My questions are this:
a.) Is there any way to do a redirect in the ASA for any DNS requests coming in on the DMZ interface, to another server either inbound our outbound? Can I use nat for something like this?
b.) Is there ANY way to be able to configure the ASA to act as a proxy besides cut-through? I just want the request that comes in on port 80 to be allowed out, but I think the ASA is seeing this has web management port, and drops the traffic. (I'm probably wrong on that one.)
a) infact you must use NAT, e.g.
static (dmz, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 dns
The 'dns' keyword is the magic here :)
b) I believe cut-through is your only option, i.e. statics and ACL combinations to get the outcome you desire