dmz dns query on asa 5540

Answered Question
May 3rd, 2012

Hi Expert.

How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?

What is the configuration required on ASA 5540 ?

Thanks

I have this problem too.
0 votes
Correct Answer by mayrojas about 1 year 11 months ago

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
mayrojas Thu, 05/03/2012 - 07:06

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

samirshaikh52 Thu, 05/03/2012 - 07:10

Mike,

Thanks for your reply.

"You only want the ASA to permit the DNS query if it is beng executed through nslookup?" YES EXACTLY

mayrojas Thu, 05/03/2012 - 07:28

Samir,

I just did a quick packet capture to see if there was any remarcable difference between the query done autmatically by the computer or the one executed via nslookup and they are the same. Nothing changes. Since there is no verifiable way to differentiate one another, you may need to find a solution that can be implemented on the host itself.

Mike

samirshaikh52 Thu, 05/03/2012 - 07:31

Mike,

I want to know.

How I can allow http request from dmz zone server to specifie outside webserver ( for eg 1.1.1.1)

Can you advice.

mayrojas Thu, 05/03/2012 - 07:44

Hi Samir,

By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.

If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.

Access-list DMZ permit tcp host host eq 80

Access-list DMZ deny ip any any

access-group DMZ in interface DMZ

Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)

WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.

Mike

mayrojas Thu, 05/03/2012 - 07:53

Didnt quite get the last message, can you explain please?

Mike

samirshaikh52 Thu, 05/03/2012 - 08:01

Ok the last thing I want to ask

I have confgiured the public dns ip on my server interface ( eg 2.2.2.2) I want to make nslookup to google.com but ti gives me error request time-out but I create this rule on ASA for eg:

nat (DMZ-1) 10 172.16.1.202 255.255.255.255  tcp 0 0 udp 0

it works fine. I know this not secure to allow everything How can i successfully perform nslookup withou giving all access

I hope it's clear.

Thanks

Samir

mayrojas Thu, 05/03/2012 - 08:20

Just permit udp 53 for that host to go out on your ACL while denying the rest of the traffic.

Mike

Actions

Login or Register to take actions

This Discussion

Posted May 3, 2012 at 7:03 AM
Stats:
Replies:13 Avg. Rating:5
Views:1257 Votes:0
Shares:0
Tags: dns, dmz, asa, asa_5540, query, 5540
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446