25-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
DNS Inspection
Figure 25-1 Translating the Address in a DNS Reply (DNS Rewrite)
DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server
is on an inside interface. For an illustration and configuration instructions for this scenario, see the “DNS
Rewrite with Three NAT Zones” section on page 25-17.
Configuring DNS Rewrite
You configure DNS rewrite using the alias, static, or nat commands. The alias and static command can
be used interchangeably; however, we recommend using the static command for new deployments
because it is more precise and unambiguous. Also, DNS rewrite is optional when using the static
command.
This section describes how to use the alias and static commands to configure DNS rewrite. It provides
configuration procedures for using the static command in a simple scenario and in a more complex
scenario. Using the nat command is similar to using the static command except that DNS Rewrite is
based on dynamic translation instead of a static mapping.
This section includes the following topics:
• Using the Static Command for DNS Rewrite, page 25-15
• Using the Static Command for DNS Rewrite, page 25-15
• Configuring DNS Rewrite with Two NAT Zones, page 25-16
• DNS Rewrite with Three NAT Zones, page 25-17
• Configuring DNS Rewrite with Three NAT Zones, page 25-19
For detailed syntax and additional functions for the alias, nat, and static command, see the appropriate
command page in the Cisco Security Appliance Command Reference.
Using the Static Command for DNS Rewrite
The static command causes addresses on an IP network residing on a specific interface to be translated
into addresses on another IP network on a different interface. The syntax for this command is as follows:
hostname(config)# static (real_ifc,mapped_ifc) mapped-address real-address dns
The following example specifies that the address 192.168.100.10 on the inside interface is translated into
209.165.200.5 on the outside interface:
hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.10 dns
132406
Web server
server.example.com
192.168.100.1
Web client
http://server.example.com
192.168.100.2
ISP Internet
DNS server
server.example.com IN A 209.165.200.5
Security appliance
192.168.100.1IN A 209.165.200.5
To Next Page
Loading...
Need help?
General