Configuring Dns Rewrite With Three Nat Zones - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
5.
Configuring DNS Rewrite with Three NAT Zones
To enable the NAT policies for the scenario in
Create a static translation for the web server on the DMZ network, as follows:
Step 1
hostname(config)# static (dmz,outside) mapped-address real-address dns
where the arguments are as follows:
•
•
•
•
Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
Step 2
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Apply the access list created in
Step 3
as follows:
hostname(config)# access-group acl-name in interface outside
If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
Step 4
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the
page
On the public DNS server, add an A-record for the web server, such as:
Step 5
domain-qualified-hostname. IN A mapped-address
where
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the security appliance for the scenario shown in
assumes DNS inspection is already enabled.
hostname(config)# static (dmz,outside) 209.165.200.225 192.168.100.10 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
OL-10088-01
The security appliance sends the HTTP request to server.example.com on the DMZ interface.
dmz—The name of the DMZ interface of the security appliance.
outside—The name of the outside interface of the security appliance.
mapped-address—The translated IP address of the web server.
real-address—The real IP address of the web server.
25-5.
domain-qualified-hostname
Figure
25-2, perform the following steps:
Step 2
to the outside interface. To do so, use the access-group command,
"Configuring Application Inspection" section on
is the hostname with a domain suffix, as in server.example.com. The
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
Figure
25-2. It
25-19
Advertisement
Table of Contents
Troubleshooting
