Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

ACE module dns rewrite

peter
Level 1
Level 1

‎04-27-2009 02:18 AM

Hi all,

We're using the ACE with static NAT. We have three interfaces. One outside and two inside. On one of the insides we have a FTP server and on the other inside we have the client. The client needs to connect to the FTP server but he wants to connect on the public DNS name.

A classic example of DNS doctoring which can be solved by the ASA by doing doing:

static (bla,bla) blablabla dns

Now I've read that the ACE module does this automatically with dns inspection enabled:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/appinsp.html#wpmkr1310508

("Translates the DNS A-record based on the NAT configuration")

However I can't get it to work.

I have my inspection policy-map attached to all three interfaces and I am sure my DNS request goes through the ACE.

I see hits on the DNS inspection policy but the dns answer I get still has the public IP listed and not the internal one.

I hope my story is clear...

Anyone got a clue on how to figure this out? Anyone got a similar setup working?

Regards,

P.

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-27-2009 06:31 AM

Where is the dns server ?

Inside or outside ?

Our Inspection has no knowledge of inside/outside. It only performs nating from local to global.

So if the answer is already the global address, we don't do anything.

But I assume ACE is the default gateway for the client, so the traffic should still hit ACE which will be able to nat the traffic if you have the nating policy on the inside interface as well.

Gilles.

0 Helpful

peter
Level 1
Level 1
In response to Gilles Dufour

‎05-01-2009 07:15 AM

Hi Gilles,

The DNS server is on the outside. I don't get where the rest of your answer leads to but in the picture described here is a perfect good explanation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

However I want it do be done by an ACE and not an ASA.

So is the ACE capable of rewriting an DNS packet when the client as well as the destination of the dns lookup is known to him?

0 Helpful
Customers Also Viewed These Support Documents