Cisco FirePOWER ASA 5500 series Configuration Manual page 436
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
DNS Inspection
In
Figure
interface of the security appliance. A web client with the IP address 10.10.10.25 is on the inside interface
and a public DNS server is on the outside interface. The site NAT policies are as follows:
The outside DNS server holds the authoritative address record for server.example.com.
•
Hosts on the outside network can contact the web server with the domain name server.example.com
•
through the outside DNS server or with the IP address 209.165.200.5.
Clients on the inside network can access the web server with the domain name server.example.com
•
through the outside DNS server or with the IP address 192.168.100.10.
When a host or client on any interface accesses the DMZ web server, it queries the public DNS server
for the A-record of server.example.com. The DNS server returns the A-record showing that
server.example.com binds to address 209.165.200.5.
When a web client on the outside network attempts to access http://server.example.com, the sequence of
events is as follows:
The host running the web client sends the DNS server a request for the IP address of
1.
server.example.com.
2.
The DNS server responds with the IP address 209.165.200.225 in the reply.
The web client sends its HTTP request to 209.165.200.225.
3.
The packet from the outside host reaches the security appliance at the outside interface.
4.
The static rule translates the address 209.165.200.225 to 192.168.100.10 and the security appliance
5.
directs the packet to the web server on the DMZ.
When a web client on the inside network attempts to access http://server.example.com, the sequence of
events is as follows:
The host running the web client sends the DNS server a request for the IP address of
1.
server.example.com.
The DNS server responds with the IP address 209.165.200.225 in the reply.
2.
The security appliance receives the DNS reply and submits it to the DNS application inspection
3.
engine.
The DNS application inspection engine does the following:
4.
Cisco Security Appliance Command Line Configuration Guide
25-18
25-2, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ
Searches for any NAT rule to undo the translation of the embedded A-record address
a.
"[outside]:209.165.200.5". In this example, it finds the following static configuration:
static (dmz,outside) 209.165.200.225 192.168.100.10 dns
Uses the static rule to rewrite the A-record as follows because the dns option is included:
b.
[outside]:209.165.200.225 --> [dmz]:192.168.100.10
Note
If the dns option were not included with the static command, DNS Rewrite would not
be performed and other processing for the packet continues.
Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
c.
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step
for the packet continues.
Chapter 25
Configuring Application Layer Protocol Inspection
b
would be reverted and other processing
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
