How Dns Rewrite Works - Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs Also See for 7604:
Table of Contents

Advertisement

Chapter 22
Applying Application Layer Protocol Inspection

How DNS Rewrite Works

When DNS inspection is enabled, DNS Rewrite provides full support for NAT of DNS messages
originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the
A-record is not translated.
As long as DNS inspection remains enabled, you can configure DNS Rewrite using the alias, static, or
nat commands. For details about the configuration required see the
on page
DNS Rewrite performs two functions:
In
Figure
maps the real address of the web server (192.168.100.1) to the ISP-assigned address (209.165.201.5).
When a web client on the inside interface attempts to access the web server with the URL
http://server.example.com, the host running the web client sends a DNS request to the DNS server to
resolve the IP address of the web server. The FWSM translates the non-routable source address in the IP
header and forwards the request to the ISP network on its outside interface. When the DNS reply is
returned, the FWSM applies address translation not only to the destination address, but also to the
embedded IP address of the web server, which is contained in the A-record in the DNS reply. As a result,
the web client on the inside network gets the correct address for connecting to the web server on the
inside network. For the exact NAT and DNS configuration for this example, see
configuration instructions for scenarios similar to this one, see the
NAT Zones" section on page
Figure 22-4
server.example.com
http://server.example.com
DNS Rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface. For an illustration and configuration instructions for this scenario, see the
Rewrite with Three NAT Zones" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
22-20.
Translating a public address (the routable or "mapped" address) in a DNS reply to a private address
(the "real" address) when the DNS client is on a private interface.
Translating a private address to a public address when the DNS client is on the public interface.
22-4, the DNS server resides on the external (ISP) network. On the FWSM, a static command
22-21.
DNS Rewrite with Two NAT Zones
Web server
192.168.100.1
192.168.100.1IN A 209.165.200.225
Web client
192.168.100.2
"Configuring DNS Rewrite" section
"Configuring DNS Rewrite with Two
DNS server
server.example.com IN A 209.165.200.225
ISP Internet
FWSM
22-22.
DNS Inspection
Example
22-2. For
"DNS
22-19

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

7609-s76137606-sCatalyst 6500 series7600 series

Table of Contents