Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

accessing DNS from DMZ NAT issue

Hi,

I had a problem in that I mapped a global DMZ ip address (192.168.2.21) to a DNS server that exists two hops (192.168.100.21) behind my inside interface. I wanted my DMZ servers to query this DNS server using a DMZ global address. I could not get this to work. Here is a sample config that doesn't work. (routing has been considered) (Debug shows no packet leaving DMZ interface when DNS query was done)

nameif ethernet0 outside (sec 0)

nameif ethernet1 DMZ (sec 25)

nameif ethernet2 inside (sec (100)

ip address outside 192.168.1.1 255.255.255.0

ip address DMZ 192.168.2.1 255.255.255.0

ip address inside 192.168.3.1 255.255.255.0

access-list DMZ-IN permit tcp host 192.168.2.20 host 192.168.2.21 eq 53

access-list DMZ-IN permit udp host 192.168.2.20 host 192.168.2.21 eq 53

static (inside,DMZ) 192.168.2.21 192.168.100.21

Now, how I got this to work was I mapped an inside global address to the inside local DNS server. Working config is below, excluding the interface stuff:

access-list DMZ-IN permit tcp host 192.168.2.20 host 192.168.3.21 eq 53

access-list DMZ-IN permit udp host 192.168.2.20 host 192.168.3.21 eq 53

static (inside,DMZ) 192.168.3.21 192.168.100.21

I suspect that this is due to bullet number 3 on the NAT order of operation table. Since the source (192.168.2.20 and destination (192.168.2.21) are on the same subnet, this traffic isn't being checked by the DMZ-IN acl (No hits).

Can anyone substantiate this and is there a security risk as I map my inside global IP addresses to my inside local DNS server address?

Kind Regards

Jeff

4 REPLIES
New Member

Re: accessing DNS from DMZ NAT issue

I think that wont work....

cause the DNS server that exists two hops away on inside (192.168.100.21) will not come to ASA for the connectivity....

it will reach the destination before it reaches the inside interface...

The rules will apply only if the the traffic is passig through the PIX...

i.e. the source and destination are on different interfaces...

Re: accessing DNS from DMZ NAT issue

Your first configuration is definetely Ok. You need to make sure the DMZ hosts know the way to your DNS ( routing). Also make sure the dns knows the way back to your DMZ hosts ( routing).

Your second configuration might work but it does not make sense.

I hope it helps .. please rate it if it does !!!

Your second

New Member

Re: accessing DNS from DMZ NAT issue

Fernando,

Can you try a similar config to the config that you say should definately work? I cound not get this to work and I do have routing paths establiashed.

Please setup a test and advise, I don't even see the packet leaving the DMZ interface with this config.

Regards

Jeff

New Member

Re: accessing DNS from DMZ NAT issue

Fernando,

I stand corrected. As you stated, this does work. The problem I found was the VMware machine was not using the firewall configured interface as required. After we've resolved the host issue, I can successfully use DMZ addresses mapped to inside hosts.

Kind Regards

Jeff

94
Views
0
Helpful
4
Replies
CreatePlease login to create content