×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Advice needed

Unanswered Question
Jun 20th, 2014
User Badges:

I have an ASA 5510, and recently we had to move our web site to an external provider. However, portions of the web site still remain here on site. From outside, the web site operates fine, with the portions being hosted here as well as at the provider site acting as they should. However, when inside the network, the portions that are local do not ever connect and result in a 'site not found' error. This is because the external provider links to my portion using the public URL. I have temporarily solved this by placing a hosts file that give the call to the local portions the correct internal address as opposed to the public address, and that works OK.

Here's the deal, I'd like the ASA to intercept these requests and simply turn them around and send them back inside. Details are:

Local domain = domain1.com

  • Local Windows AD DNS, no authority for the domain2 DNS records
  • My portion of the web site has a URL of searchdomain1.com with a public address of 10.10.10.100 and a inside address if 192.168.1.10

Hosted domain = domain2.com

  • External DNS provider with authority for domain2, not domain1
  • URL for the main site portion is mysite.domain2.com with a public address of 10.100.10.100

Initially, I though a static NAT rule similar to:

static (inside,inside) 192.167.1.10 10.10.10.100

but no change. Then I thought perhaps with the dns keyword like:

static (inside,inside) 192.167.1.10 10.10.10.100 dns

Still no change.

 

Anyone have any ideas as to how to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkarthikeyan Sat, 06/21/2014 - 00:40
User Badges:
  • Gold, 750 points or more

Hi,

 

You have to do DNS doctoring or Hair Pinning on your ASA to have the U-Turn of the traffic via the same interface..... The NAT and configuration parameters slightly changes based on the OS version which you use....

If you use 8.3+ OS which has new NAT syntax.

access-list outbound permit tcp <source lan> <web server public ip> eq www ( depends on your requirement)

nat (inside,outside) source static <Private IP Of web server> <public ip of web server> dns
!
policy-map global_policy
  class inspection_default 
    inspect dns

Hairpinning is quite different from this.... DNS doctoring would do your requirement.

 

in older 7.2 version

 

global (inside) 1 interface


nat (inside) 1 <Local LAN Subnet>

!--- The NAT statement defines which traffic should be natted.
!--- The whole inside subnet in this case.

static (inside,outside) <public IP> <private ip> netmask 255.255.255.255

!--- Static NAT statement mapping the WWW server's real address to a public 
!--- address on the outside interface.

static (inside,inside) <public IP> <private ip> netmask 255.255.255.255

for inspect statement on global policy

Configure DNS Inspection

In order to enable DNS inspection (if it has been previously disabled), perform these steps. In this example, DNS inspection is added to the default global inspection policy, which is applied globally by a service-policy command as though the ASA began with a default configuration. Refer to Using Modular Policy Framework for more information on service policies and inspection.

  1. Create an inspection policy map for DNS.

    ciscoasa(config)#policy-map type inspect dns MY_DNS_INSPECT_MAP
    
  2. From the policy-map configuration mode, enter parameter configuration mode to specify parameters for the inspection engine.

    ciscoasa(config-pmap)#parameters
    
  3. In policy-map parameter configuration mode, specify the maxiumum message length for DNS messages to be 512.

    ciscoasa(config-pmap-p)#message-length maximum 512
    
  4. Exit out of policy-map parameter configuration mode and policy-map configuration mode.

    ciscoasa(config-pmap-p)#exit
    ciscoasa(config-pmap)#exit
    
  5. Confirm that the inspection policy-map was created as desired.

    ciscoasa(config)#show run policy-map type inspect dns
    !
    policy-map type inspect dns MY_DNS_INSPECT_MAP
     parameters
      message-length maximum 512
    !
  6. Enter policy-map configuration mode for the global_policy.

    ciscoasa(config)#policy-map global_policy
    ciscoasa(config-pmap)#
  7. In policy-map configuration mode, specify the default layer 3/4 class map, inspection_default.

    ciscoasa(config-pmap)#class inspection_default
    ciscoasa(config-pmap-c)#
  8. In policy-map class configuration mode, specify that DNS should be inspected using the inspection policy map created in steps 1-3.

    ciscoasa(config-pmap-c)#inspect dns MY_DNS_INSPECT_MAP
    
  9. Exit out of policy-map class configuration mode and policy-map configuration mode.

    ciscoasa(config-pmap-c)#exit
    ciscoasa(config-pmap)#exit
    
  10. Verify that the global_policy policy-map is configured as desired.

    ciscoasa(config)#show run policy-map
    !
    
    !--- The configured DNS inspection policy map.
    
    policy-map type inspect dns MY_DNS_INSPECT_MAP
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect dns MY_DNS_INSPECT_MAP
    
    !--- DNS application inspection enabled.
    
    !
  11. Verify that the global_policy is applied globally by a service-policy.

    ciscoasa(config)#show run service-policy
    service-policy global_policy global

HTH

 

Regards

Karthik

Marius Gunnerud Sat, 06/21/2014 - 03:23
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

DNS doctoring will not work as it would seem that the DNS server is located on the local network that the user is connecting from (the DNS request will never pass through the firewall in this case.)

In your post you indicate that 192.168.1.10 is the servers real address, then you have your NAT statement backwards.

the ASA 8.2 and earlier format is as follows

static (real_int,mapped_int) mapped_address real_address

So your statement should look like the following

static (inside,inside) 10.10.10.100 192.168.1.10

You will also need to ensure that you have the following command enabled on the ASA

same-security-traffic permit intra-interface

 

Now having said all this, I still do not think it will work when accessing a webpage due to the asynchronous routing that will occur.  This is because the web server will see the source address as an address on its own subnet and send traffic directly to the inside host instead of back through the ASA.  The host will then send the next packet through the ASA firewall while the ASA will be expecting a different sequence number and think that the packet is spoofed and drop the packet.  A way to get around this is to enable TCP bypass...but this is usually not a recommended solution as it can be a security risk.

As an alternative solution I suggest you create a second DNS entry that resolves to the internal IP of the server for the internal hosts to use.

--

Please remember to select a correct answer and rate helpful posts

Actions

This Discussion