Wednesday, January 10, 2007

Pix/ASA: DNS rewrite and Packet U-Turns part I

Topology

                                    I--Client
Internet----(Outside)ASA(Inside)----I
                                    I--Server

Problem

An internal host cannot reach the a public server in the DMZ arm of the pix/asa. The reason is because the public server's hostname is resolved by DNS to its public ip address and the pix/asa will not route a packet to the outside interface then u-turn it back to its inside interface.

Solution 1: We tell the pix/asa to hack into the DNS query response such that the client host will resolve the server's hostname to it's private ip address.
Make sure that you have DNS inspection configured for DNS Doctoring to work.

policy-map global_policy
class inspection_default
...
inspect dns

! Nat/Global for outbound traffic
!
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
!
! Static nat for inbound traffic to the server.
! The DNS keyword at the end enables DNS Doctoring
!
static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns
!


It beats going to each and every workstation on your network and adding the server's hostname/ip address in their etc/hosts file.

Solution 2.
On pre-7.2 verion of the security appliance software, the pix/asa will not forward clear (unencrypted) traffic back the same interface where it was recieved from. On 7.1, it will allow the packet to take a U-turn but only for encrypted traffic.
So if the firewall is running 7.2 software, we can get around these limitations and allow the client host to access the server using the resolved public ip address.

! To allow packet U-turn
!
same-security-traffic permit intra-interface
!
! global statement for outbound traffic
!
global (outside) 1 interface
!
! global statement for intra-interface traffic
!
global (inside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
!
! Static nat for inbound traffic
!
static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255
!
! To map the public ip of the server to its private ip
! for intra-interface traffic.
!
static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255
!

For a more detailed explanation, read this sample configuration from Cisco.

Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)