Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

DNS rewrite not working

hi

i am trying to configure dns rewrite option in my asa 5520 with version 8.2(1) with asadm 6.2(1)     

but i am still getting th epublic ip and not the private IP.

DNS inspection is there. may be a bug.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DNS rewrite not working

That is absolutely correct! This is mentioned in the configuration guide for the ASA -

http://tools.cisco.com/squish/55AC0

The first "note" on this link mentions the following -

DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

-Swaraj

5 REPLIES
Cisco Employee

DNS rewrite not working

Hi,

Could you let me know more about your topology and configuration?

Where is the DNS server and the server (URL which you are trying to resolve) located w.r.t the ASA?

For DNS rewrite to work properly, you must have your DNS server located across the firewall i,e., the DNS request from a machine should cross the firewall and go to another interface and then come back via the same path. This means that DNS inspection won't work if you have both the resolving client and the DNS server in the same network segment. Of course, this is in addition to DNS inspection being configured on the firewall.

As an example, let's consider the following example -

client--inside--ASA--outside--DNS server

Client tries to resolve a URL for a server on the inside network of the ASA.

The DNS query then goes through the ASA and reached the DNS server. The public DNS server on the internet responds with the public IP address of the internal server (this server is local for the client).

The DNS response packet has the public IP address of the server in its payload. The ASA intercepts this response packet to rewrite the IP in the response packet to the private IP address of the server.

The question is how the ASA understands what the private IP address of the server is?

Well, this it understands based on the static NAT configured for the internal server. Hence, it is also required that the NAT be enabled with DNS keyword for rewrite to work.

Please check if your scenario satisfies all these requirements.

Silver

DNS rewrite not working

my server is located in DMZ

my DNS is in outside (ISp DNS)

static nat is configured with dns option

dns inspection is configured

but when i ping my server i still get public IP !!!!!!!!

Cisco Employee

DNS rewrite not working

Ok. What about the hosts that you are sourcing the ping from, are they also on the DMZ?

Assuming that the host you are sourcing the ping from is also on the DMZ, let's apply captures on the DMZ interface as below -

host ip x.x.x.x

#cap capi interface DMZ match udp host host eq 53

You can then download the capture in pcap format if you have HTTPS enabled on the ASA's DMZ interface by entering the following URL on a web browser -

https:///capture/capi/pcap

Could you also post the relevant configuration from the device?

Regards,

Swaraj

Silver

DNS rewrite not working

Ummm I found the problem

Imagine you are the firewall and you see a dns reply from public dns server, you open the dns packet and you find one public IP that you must rewrite. You will look to the static NAT statements and you find that this public IP is natted to different private IP depends on TCP ports. So you can' t know which one is the good one. So you will not translate

However if the nat does not depends on the TCP port so dns rewrite is done J

Cisco Employee

Re: DNS rewrite not working

That is absolutely correct! This is mentioned in the configuration guide for the ASA -

http://tools.cisco.com/squish/55AC0

The first "note" on this link mentions the following -

DNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

-Swaraj

667
Views
0
Helpful
5
Replies
CreatePlease to create content