Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
3
Replies

Advice needed

dhall8436
Level 1
Level 1

‎06-20-2014 02:23 PM - edited ‎03-11-2019 09:21 PM

I have an ASA 5510, and recently we had to move our web site to an external provider. However, portions of the web site still remain here on site. From outside, the web site operates fine, with the portions being hosted here as well as at the provider site acting as they should. However, when inside the network, the portions that are local do not ever connect and result in a 'site not found' error. This is because the external provider links to my portion using the public URL. I have temporarily solved this by placing a hosts file that give the call to the local portions the correct internal address as opposed to the public address, and that works OK.

Here's the deal, I'd like the ASA to intercept these requests and simply turn them around and send them back inside. Details are:

Local domain = domain1.com

  • Local Windows AD DNS, no authority for the domain2 DNS records
  • My portion of the web site has a URL of searchdomain1.com with a public address of 10.10.10.100 and a inside address if 192.168.1.10

Hosted domain = domain2.com

  • External DNS provider with authority for domain2, not domain1
  • URL for the main site portion is mysite.domain2.com with a public address of 10.100.10.100

Initially, I though a static NAT rule similar to:

static (inside,inside) 192.167.1.10 10.10.10.100

but no change. Then I thought perhaps with the dns keyword like:

static (inside,inside) 192.167.1.10 10.10.10.100 dns

Still no change.

 

Anyone have any ideas as to how to do this?

Labels:
0 Helpful
3 Replies 3

Tushar Bangia
Level 1
Level 1

‎06-20-2014 09:53 PM

Can you try below command:

 

static (inside,outside) 10.10.10.100 192.167.1.10  dns

 

You can also refer below link for more information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html

 

Regards

Tushar Bangia

Please rate the post if you find it helpful.

0 Helpful

nkarthikeyan
Level 7
Level 7

‎06-21-2014 12:40 AM

Hi,

 

You have to do DNS doctoring or Hair Pinning on your ASA to have the U-Turn of the traffic via the same interface..... The NAT and configuration parameters slightly changes based on the OS version which you use....

If you use 8.3+ OS which has new NAT syntax.

access-list outbound permit tcp <source lan> <web server public ip> eq www ( depends on your requirement)

nat (inside,outside) source static <Private IP Of web server> <public ip of web server> dns
!
policy-map global_policy
  class inspection_default 
    inspect dns

Hairpinning is quite different from this.... DNS doctoring would do your requirement.

 

in older 7.2 version

 

global (inside) 1 interface


nat (inside) 1 <Local LAN Subnet>

!--- The NAT statement defines which traffic should be natted.
!--- The whole inside subnet in this case.

static (inside,outside) <public IP> <private ip> netmask 255.255.255.255

!--- Static NAT statement mapping the WWW server's real address to a public 
!--- address on the outside interface.

static (inside,inside) <public IP> <private ip> netmask 255.255.255.255

for inspect statement on global policy

Configure DNS Inspection

In order to enable DNS inspection (if it has been previously disabled), perform these steps. In this example, DNS inspection is added to the default global inspection policy, which is applied globally by a service-policy command as though the ASA began with a default configuration. Refer to Using Modular Policy Framework for more information on service policies and inspection.

  1. Create an inspection policy map for DNS.

    ciscoasa(config)#policy-map type inspect dns MY_DNS_INSPECT_MAP

  2. From the policy-map configuration mode, enter parameter configuration mode to specify parameters for the inspection engine.

    ciscoasa(config-pmap)#parameters

  3. In policy-map parameter configuration mode, specify the maxiumum message length for DNS messages to be 512.

    ciscoasa(config-pmap-p)#message-length maximum 512

  4. Exit out of policy-map parameter configuration mode and policy-map configuration mode.

    ciscoasa(config-pmap-p)#exit
ciscoasa(config-pmap)#exit

  5. Confirm that the inspection policy-map was created as desired.

    ciscoasa(config)#show run policy-map type inspect dns
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 512
!

  6. Enter policy-map configuration mode for the global_policy.

    ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#

  7. In policy-map configuration mode, specify the default layer 3/4 class map, inspection_default.

    ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#

  8. In policy-map class configuration mode, specify that DNS should be inspected using the inspection policy map created in steps 1-3.

    ciscoasa(config-pmap-c)#inspect dns MY_DNS_INSPECT_MAP

  9. Exit out of policy-map class configuration mode and policy-map configuration mode.

    ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit

  10. Verify that the global_policy policy-map is configured as desired.

    ciscoasa(config)#show run policy-map
!

!--- The configured DNS inspection policy map.

policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns MY_DNS_INSPECT_MAP

!--- DNS application inspection enabled.

!

  11. Verify that the global_policy is applied globally by a service-policy.

    ciscoasa(config)#show run service-policy
service-policy global_policy global

HTH

 

Regards

Karthik

0 Helpful

Marius Gunnerud
VIP
VIP
In response to nkarthikeyan

‎06-21-2014 03:23 AM

DNS doctoring will not work as it would seem that the DNS server is located on the local network that the user is connecting from (the DNS request will never pass through the firewall in this case.)

In your post you indicate that 192.168.1.10 is the servers real address, then you have your NAT statement backwards.

the ASA 8.2 and earlier format is as follows

static (real_int,mapped_int) mapped_address real_address

So your statement should look like the following

static (inside,inside) 10.10.10.100 192.168.1.10

You will also need to ensure that you have the following command enabled on the ASA

same-security-traffic permit intra-interface

 

Now having said all this, I still do not think it will work when accessing a webpage due to the asynchronous routing that will occur.  This is because the web server will see the source address as an address on its own subnet and send traffic directly to the inside host instead of back through the ASA.  The host will then send the next packet through the ASA firewall while the ASA will be expecting a different sequence number and think that the packet is spoofed and drop the packet.  A way to get around this is to enable TCP bypass...but this is usually not a recommended solution as it can be a security risk.

As an alternative solution I suggest you create a second DNS entry that resolves to the internal IP of the server for the internal hosts to use.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card