43-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter43 Configuring Inspection of Basic Internet Protocols
DNS Inspection
Configuring DNS Rewrite with Two NAT Zones
To implement a DNS Rewrite scenario similar to the one shown in Figure43-1, perform the following
steps:
Step1 Create a static translation for the web server using the dns option. See Chapter 30, “Configuring
Network Object NAT.”
Step2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Step3 Apply the access list created in Step 2 to the mapped interface. To do so, use the access-group command,
as follows:
hostname(config)# access-group acl-name in interface mapped_ifc
Step4 If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the “Configuring a DNS Inspection Policy Map for Additional
Inspection Control” section on page43-7.
Step5 On the public DNS server, add an A-record for the web server, such as:
domain-qualified-hostname. IN A mapped-address
where domain-qualified-hostname is the hostname with a domain suffix, as in server.example.com. The
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the ASA for the scenario shown in Figure43-1. It assumes DNS
inspection is already enabled.
hostname(config)# object network obj-192.168.100.1-01
hostname(config-network-object)# host 192.168.100.1
hostname(config-network-object)# nat (inside,outside) static 209.165.200.225 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
Overview of DNS Rewrite with Three NAT Zones
Figure 43-2 provides a more complex scenario to illustrate how DNS inspection allows NAT to operate
transparently with a DNS server with minimal configuration. For configuration instructions for scenarios
like this one, see the “Configuring DNS Rewrite with Three NAT Zones” section on page43-6.