cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1467
Views
9
Helpful
10
Replies

DNS Doctoring Question

rsaeks
Level 1
Level 1

Hi there,

We are using an ASA5100 on 8.2(5).  I'm trying to look at granting access to our internal webserver to those connected to our guest network using an external DNS server.  I've enabled DNS inspection but can't seem to get the doctoring setup going for our device.  We are using three of the four interfaces as follows:

outside interface (connected to our ISP with a public IP)

inside interface (172.20.1.2 connected to our 3750 Gig1/0/2 with IP 172.20.1.1)

guest_inet interface (10.2.1.1 connected to 3750 Gig2/0/2 tagged VLAN 999)

The 3750 device connects to our local 192.168.x.x network.

Wireless guests are in the 10.2.1.0/24 subnet and use an external DNS.  External clients are able to resolve our web server to the public IP address 63.236.246.66 and NAT successfully directs them to the internal address 192.168.40.40.

I've enabled the DNS doctoring option on the static NAT entry on the inside interface but that didn't have an effect when running a dig hostname on a client connected to the guest subnet.  Do I need to put in a different NAT entry on the guest_inet interface?

Thanks!

10 Replies 10

Did you add an ACL inbound on the Guest interface permitting 10.2.1.0/24 access to 192.168.40.40?  Keep in mind that DNS doctoring substitutes the public IP of the server with the private IP so the host will be sending traffic to the private IP of the server.

--
Please remember to select a correct answer and rate helpful posts

turbo_engine26
Level 4
Level 4

Hi,

Make sure a host in the guest subnet can access the web server locally in the first place. This can be done by using Identity NAT from the guest_inet interface to the interface that subnet 192.168.40.0 is located. Once verified, you can then test the access using the web server's public address. I am not sure if you want to add an ACL or not and this depends on the security level of the guest subnet interface.

DNS Rewrite (or Doctoring) is working by replacing the web server's public IP with its private IP in the DNS reply using the information found in the static NAT command.

Regards,

AM

I've put in a rule to allow access.  When running a packettrace command from the guest_inet interface with source 10.2.1.165 to 192.168.40.40 it displays the following with a packet dropped action:

nat (inside) 1 192.168.0.0 255.255.0.0

match ip inside 192.168.0.0 255.255.0.0 guest_inet any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Could you please post the full output of the packet tracer including the command used.

Also include a full configuration of the ASA (change public IPs and any other sensitive information such as passwords and usernames if required)

--
Please remember to select a correct answer and rate helpful posts

Here is our config with some items masked / removed:

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(5)

!

hostname GCS-FW-INTERNET

!

no names

name X.199 WiFi_Guest

name 192.168.48.55 GSSPRES01

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address X.6 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.20.1.2 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 50

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/3

nameif guest_inet

security-level 10

ip address 10.2.1.1 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name glencoeschools.org

same-security-traffic permit intra-interface

!

!

access-list internet_in extended permit tcp any host X.65 eq www

access-list internet_in extended permit tcp any host X.66 eq www

access-list internet_in extended permit tcp any host X.69 eq www

access-list internet_in extended permit tcp any host X.70 eq www

access-list internet_in extended permit tcp any host X.71 eq www

access-list internet_in extended permit tcp any host X.72 eq www

access-list internet_in extended permit tcp any host X.73 eq www

access-list internet_in extended permit tcp any host X.74 eq www

access-list internet_in extended permit tcp any host X.75 eq www

access-list internet_in extended permit tcp any host X.76 eq www

access-list internet_in extended permit tcp any host X.76 eq https

access-list internet_in extended permit tcp any host X.80 eq www

access-list internet_in extended permit tcp any host X.81 eq www

access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0

access-list internet_in extended permit ip 172.16.48.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list internet_in extended permit ip 172.16.48.0 255.255.255.240 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.145 192.168.0.0 255.255.0.0

access-list internet_in extended permit tcp 10.2.1.0 255.255.255.0 any eq domain inactive

access-list internet_in extended permit tcp any 10.2.1.0 255.255.255.0 eq domain inactive

access-list internet_in extended permit icmp any any inactive

access-list internet_in extended permit ip host X.210 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.9 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip 172.16.56.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list internet_in extended permit ip host X.218 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.48.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.56.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 X.144 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.156

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.145

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.210

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.249

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.218

access-list outside_cryptomap extended permit ip any 172.20.1.0 255.255.255.0

access-list outside_access_out extended deny tcp any any eq 82

access-list outside_access_out extended permit ip any any

access-list Glencoe standard permit 192.168.0.0 255.255.0.0

access-list guest_inet_access_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 1040000

logging monitor debugging

logging buffered debugging

logging asdm notifications

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu guest_inet 1500

mtu management 1500

ip local pool VPN_Pool 172.20.1.10-172.20.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

nat (inside) 1 192.168.0.0 255.255.0.0

nat (guest_inet) 1 10.2.1.0 255.255.255.0

static (inside,outside) tcp X.65 www 192.168.40.36 www netmask 255.255.255.255

static (inside,outside) tcp 6.78 https 192.168.40.8 https netmask 255.255.255.255

static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255

static (inside,outside) X.73 192.168.40.44 netmask 255.255.255.255

static (inside,outside) X.74 192.168.40.46 netmask 255.255.255.255

static (inside,outside) X.76 192.168.40.38 netmask 255.255.255.255

static (inside,outside) X.71 192.168.40.42 netmask 255.255.255.255

static (inside,outside) X.70 192.168.40.41 netmask 255.255.255.255

static (inside,outside) X.72 192.168.40.43 netmask 255.255.255.255 dns

access-group internet_in in interface outside

access-group outside_access_out out interface outside

access-group guest_inet_access_in in interface guest_inet

!

router eigrp 7159

no auto-summary

network X.144 255.255.255.240

network 172.20.1.0 255.255.255.0

network 192.168.40.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 X.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.40.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

snmp-server host inside 192.168.40.200 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

!

!

class-map inspection_default

!

!

policy-map global_policy

class inspection_default

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8ef56df1de9dd36f9dcff934d746ff65

: end

Packet Tracer is:

GCS-FW-INTERNET# packet-tracer input guest_inet tcp 10.2.1.90 1069 192.168.40.40 http

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.40.0    255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group guest_inet_access_in in interface guest_inet

access-list guest_inet_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (guest_inet) 1 10.2.1.0 255.255.255.0

  match ip guest_inet 10.2.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 (X.146 [Interface PAT])

    translate_hits = 70348, untranslate_hits = 3530

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 192.168.0.0 255.255.0.0

  match ip inside 192.168.0.0 255.255.0.0 guest_inet any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Result:

input-interface: guest_inet

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Since it is a long post: I'm trying to have a device on our guest wireless subnet (10.2.1.0/24) access one of our webservers at 192.168.40.40  I'm pretty confidant once the syntax is setup for allowing this one host I can change it to match the others.

Thanks everyone for the info so far!

First off the NAT statement for 192.168.40.40 is not configured for DNS doctoring.  Add the dns keyword at the end of the statement.

static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255

--
Please remember to select a correct answer and rate helpful posts

I added the dns statement to the NAT line (sorry about grabbing the old config without it in place) and still have the same issue.  When I run a nslooklup or dig on host I still receive the public IP address.

Hmmm, that is odd.

Well to get this working you could nat the from the guest interface to the inside interface...it is not DNS doctoring but it should also work.

static (guest_inet,inside) X.73 192.168.40.44 netmask 255.255.255.255

--
Please remember to select a correct answer and rate helpful posts

Hi,

I can't see the DNS inspection enabled in the "global_policy" policy map. You must activate DNS inspection prior configuring DNS doctoring. Please use the following:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

Regards,

AM

After some time on the phone with TAC we found the following:

Even through the DNS doctoring configuration was set, it was not being honored.  We added the guest_inet subnet to the outside NAT pool:

nat (guest_inet) 1 10.2.1.0 255.255.255.0 outside

Created static NAT entries for each server using:

static (inside,guest_inet) PUBLIC_IP PRIVATE_IP netmask 255.255.255.255

Once that was done all was good.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: