Cisco PIX 500 Series Configuration Manual page 482
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
DNS Inspection
Figure 25-2
erver.example.com IN A 209.165.200.5
In
Figure
interface of the security appliance. A web client with the IP address 10.10.10.25 is on the inside interface
and a public DNS server is on the outside interface. The site NAT policies are as follows:
•
The outside DNS server holds the authoritative address record for server.example.com.
•
Hosts on the outside network can contact the web server with the domain name server.example.com
through the outside DNS server or with the IP address 209.165.200.5.
Clients on the inside network can access the web server with the domain name server.example.com
•
through the outside DNS server or with the IP address 192.168.100.10.
When a host or client on any interface accesses the DMZ web server, it queries the public DNS server
for the A-record of server.example.com. The DNS server returns the A-record showing that
server.example.com binds to address 209.165.200.5.
When a web client on the outside network attempts to access http://server.example.com, the sequence of
events is as follows:
1.
The host running the web client sends the DNS server a request for the IP address of
server.example.com.
The DNS server responds with the IP address 209.165.200.225 in the reply.
2.
3.
The web client sends its HTTP request to 209.165.200.225.
4.
The packet from the outside host reaches the security appliance at the outside interface.
The static rule translates the address 209.165.200.225 to 192.168.100.10 and the security appliance
5.
directs the packet to the web server on the DMZ.
When a web client on the inside network attempts to access http://server.example.com, the sequence of
events is as follows:
The host running the web client sends the DNS server a request for the IP address of
1.
server.example.com.
2.
The DNS server responds with the IP address 209.165.200.225 in the reply.
Cisco Security Appliance Command Line Configuration Guide
25-18
DNS Rewrite with Three NAT Zones
DNS server
Outside
99.99.99.2
Inside
Web client
10.10.10.25
25-2, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ
Chapter 25
Configuring Application Layer Protocol Inspection
Security
Web server
appliance
192.168.100.10
DMZ
192.168.100.1
10.10.10.1
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
