Configuring Dns Rewrite - Cisco PIX 500 Series Configuration Manual

Chapter 25 Configuring Application Layer Protocol Inspection
DNS Rewrite performs two functions:
•
•
In Figure
(192.168.100.1) has been mapped using the static command to the ISP-assigned address
(209.165.200.5). When a web client on the inside interface attempts to access the web server with the
URL http://server.example.com, the host running the web client sends a DNS request to the DNS server
to resolve the IP address of the web server. The security appliance translates the non-routable source
address in the IP header and forwards the request to the ISP network on its outside interface. When the
DNS reply is returned, the security appliance applies address translation not only to the destination
address, but also to the embedded IP address of the web server, which is contained in the A-record in the
DNS reply. As a result, the web client on the inside network gets the correct address for connecting to
the web server on the inside network. For configuration instructions for scenarios similar to this one, see
the
Figure 25-1
server.example.com
http://server.example.com
DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface. For an illustration and configuration instructions for this scenario, see the
Rewrite with Three NAT Zones" section on page

Configuring DNS Rewrite

You configure DNS rewrite using the alias, static, or nat commands. The alias and static command can
be used interchangeably; however, we recommend using the static command for new deployments
because it is more precise and unambiguous. Also, DNS rewrite is optional when using the static
command.
This section describes how to use the alias and static commands to configure DNS rewrite. It provides
configuration procedures for using the static command in a simple scenario and in a more complex
scenario. Using the nat command is similar to using the static command except that DNS Rewrite is
based on dynamic translation instead of a static mapping.
This section includes the following topics:
•
•
OL-12172-03
Translating a public address (the routable or "mapped" address) in a DNS reply to a private address
(the "real" address) when the DNS client is on a private interface.
Translating a private address to a public address when the DNS client is on the public interface.
25-1, the DNS server resides on the external (ISP) network The real address of the server
"Configuring DNS Rewrite with Two NAT Zones" section on page
Translating the Address in a DNS Reply (DNS Rewrite)
Web server
192.168.100.1
192.168.100.1IN A 209.165.200.5
Web client
192.168.100.2
Using the Static Command for DNS Rewrite, page 25-16
Using the Static Command for DNS Rewrite, page 25-16
DNS server
server.example.com IN A 209.165.200.5
ISP Internet
Security appliance
25-17.
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
25-16.
"DNS
25-15