Chapter 25
Configuring Application Layer Protocol Inspection
Step 4
If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the
page
On the public DNS server, add an A-record for the web server, such as:
Step 5
domain-qualified-hostname. IN A mapped-address
where
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the security appliance for the scenario shown in
assumes DNS inspection is already enabled.
hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.1 netmask
255.255.255.255 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
DNS Rewrite with Three NAT Zones
Figure 25-2
transparently with a DNS server with minimal configuration. For configuration instructions for scenarios
like this one, see the
Figure 25-2
erver.example.com IN A 209.165.200.5
OL-10088-01
25-5.
domain-qualified-hostname
provides a more complex scenario to illustrate how DNS inspection allows NAT to operate
"Configuring DNS Rewrite with Three NAT Zones" section on page
DNS Rewrite with Three NAT Zones
DNS server
Outside
99.99.99.2
Inside
Web client
10.10.10.25
"Configuring Application Inspection" section on
is the hostname with a domain suffix, as in server.example.com. The
Security
appliance
DMZ
192.168.100.1
10.10.10.1
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
Figure
Web server
192.168.100.10
25-1. It
25-19.
25-17