Configuring Dns Rewrite With Three Nat Zones - Cisco PIX 500 Series Configuration Manual

Chapter 25 Configuring Application Layer Protocol Inspection
3.
4.
5.

Configuring DNS Rewrite with Three NAT Zones

To enable the NAT policies for the scenario in
Create a static translation for the web server on the DMZ network, as follows:
Step 1
hostname(config)# static ( dmz , outside ) mapped-address real-address dns
where the arguments are as follows:
•
•
•
•
Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
Step 2
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Apply the access list created in
Step 3
as follows:
hostname(config)# access-group acl-name in interface outside
OL-12172-03
The security appliance receives the DNS reply and submits it to the DNS application inspection
engine.
The DNS application inspection engine does the following:
Searches for any NAT rule to undo the translation of the embedded A-record address
a.
"[outside]:209.165.200.5". In this example, it finds the following static configuration:
static (dmz,outside) 209.165.200.225 192.168.100.10 dns
Uses the static rule to rewrite the A-record as follows because the dns option is included:
b.
[outside]:209.165.200.225 --> [dmz]:192.168.100.10
If the dns option were not included with the static command, DNS Rewrite would not
Note
be performed and other processing for the packet continues.
Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
c.
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step
for the packet continues.
The security appliance sends the HTTP request to server.example.com on the DMZ interface.
dmz—The name of the DMZ interface of the security appliance.
outside—The name of the outside interface of the security appliance.
mapped-address—The translated IP address of the web server.
real-address—The real IP address of the web server.
Figure 25-2, perform the following steps:
Step 2 to the outside interface. To do so, use the access-group command,
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
b would be reverted and other processing
25-19