Internet----(outside)pix/asa(inside)----client
(dmz)
I
I
serverNow let's consider a pix/asa with three interfaces: inside, outside and dmz. Client PC in the inside network cannot access the server in the dmz eventhough we have the correct nat configuration in the firewall. We soon found out that the client PC is resolving server's hostname to its public ip. Problem is the pix/asa will forward the packet to the outside interface because the destination in the packet header is the server's public ip.
Solution 1:
DNS doctoring to the rescue
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
By adding the dns keyword in the static nat for the server, we are telling the pix to rewrite the dns query response so that the client pc will resolve the server's hostname to its private ip. So then the pix will correctly route to the dmz interface when client PC sends a packet to the server.
Make sure that you have DNS inspection configured for DNS Doctoring to work.
policy-map global_policy
class inspection_default
...
inspect dns
Solution 2:
Another way to get around the problem is to configure the pix to do a nat translation for packets from inside hosts going to the server in the dmz. But instead of natting the source address in the packet header, we tell it to nat the destination address.
!
! Nat for inside-to-outside traffic
!
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
!
! Nat for inside-to-dmz traffic to server
!
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
!
! Nat for dmz-to-outside traffic to server
!
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255
!
! Destination Nat for the server's IP
!
static (dmz,inside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255
More detailed info from the Cisco sample configuration.
No comments:
Post a Comment