Chapter 25
Configuring Application Layer Protocol Inspection
•
•
•
•
Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
Step 2
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Apply the access list created in
Step 3
as follows:
hostname(config)# access-group acl-name in interface mapped_ifc
If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
Step 4
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the
page
On the public DNS server, add an A-record for the web server, such as:
Step 5
domain-qualified-hostname . IN A mapped-address
where
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the security appliance for the scenario shown in
assumes DNS inspection is already enabled.
hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.1 netmask
255.255.255.255 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
DNS Rewrite with Three NAT Zones
Figure 25-2
transparently with a DNS server with minimal configuration. For configuration instructions for scenarios
like this one, see the
OL-12172-03
real_ifc—The name of the interface connected to the real addresses.
mapped_ifc—The name of the interface where you want the addresses to be mapped.
mapped-address—The translated IP address of the web server.
real-address—The real IP address of the web server.
25-5.
domain-qualified-hostname
provides a more complex scenario to illustrate how DNS inspection allows NAT to operate
"Configuring DNS Rewrite with Three NAT Zones" section on page
Step 2
to the mapped interface. To do so, use the access-group command,
"Configuring Application Inspection" section on
is the hostname with a domain suffix, as in server.example.com. The
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
Figure
25-1. It
25-19.
25-17