02-24-2014 02:07 AM - edited 03-11-2019 08:49 PM
hi
i am trying to configure dns rewrite option in my asa 5520 with version 8.2(1) with asadm 6.2(1)
but i am still getting th epublic ip and not the private IP.
DNS inspection is there. may be a bug.
Solved! Go to Solution.
02-26-2014 01:06 AM
That is absolutely correct! This is mentioned in the configuration guide for the ASA -
http://tools.cisco.com/squish/55AC0
The first "note" on this link mentions the following -
DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.
-Swaraj
02-24-2014 04:47 AM
Hi,
Could you let me know more about your topology and configuration?
Where is the DNS server and the server (URL which you are trying to resolve) located w.r.t the ASA?
For DNS rewrite to work properly, you must have your DNS server located across the firewall i,e., the DNS request from a machine should cross the firewall and go to another interface and then come back via the same path. This means that DNS inspection won't work if you have both the resolving client and the DNS server in the same network segment. Of course, this is in addition to DNS inspection being configured on the firewall.
As an example, let's consider the following example -
client--inside--ASA--outside--DNS server
Client tries to resolve a URL for a server on the inside network of the ASA.
The DNS query then goes through the ASA and reached the DNS server. The public DNS server on the internet responds with the public IP address of the internal server (this server is local for the client).
The DNS response packet has the public IP address of the server in its payload. The ASA intercepts this response packet to rewrite the IP in the response packet to the private IP address of the server.
The question is how the ASA understands what the private IP address of the server is?
Well, this it understands based on the static NAT configured for the internal server. Hence, it is also required that the NAT be enabled with DNS keyword for rewrite to work.
Please check if your scenario satisfies all these requirements.
02-24-2014 08:20 PM
my server is located in DMZ
my DNS is in outside (ISp DNS)
static nat is configured with dns option
dns inspection is configured
but when i ping my server i still get public IP !!!!!!!!
02-25-2014 06:11 AM
Ok. What about the hosts that you are sourcing the ping from, are they also on the DMZ?
Assuming that the host you are sourcing the ping from is also on the DMZ, let's apply captures on the DMZ interface as below -
host ip x.x.x.x
#cap capi interface DMZ match udp host
You can then download the capture in pcap format if you have HTTPS enabled on the ASA's DMZ interface by entering the following URL on a web browser -
https://
Could you also post the relevant configuration from the device?
Regards,
Swaraj
02-26-2014 12:46 AM
Ummm I found the problem
Imagine you are the firewall and you see a dns reply from public dns server, you open the dns packet and you find one public IP that you must rewrite. You will look to the static NAT statements and you find that this public IP is natted to different private IP depends on TCP ports. So you can' t know which one is the good one. So you will not translate
However if the nat does not depends on the TCP port so dns rewrite is done J
02-26-2014 01:06 AM
That is absolutely correct! This is mentioned in the configuration guide for the ASA -
http://tools.cisco.com/squish/55AC0
The first "note" on this link mentions the following -
DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.
-Swaraj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide