25-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
DNS Inspection
Note Using the nat command is similar to using the static command except that DNS Rewrite is based on
dynamic translation instead of a static mapping.
Using the Alias Command for DNS Rewrite
The alias command causes the security appliance to translate addresses on an IP network residing on any
interface into addresses on another IP network connected through a different interface. The syntax for
this command is as follows:
hostname(config)# alias (interface_name) mapped-address real-address
The following example specifies that the real address (192.168.100.10) on any interface except the
inside interface will be translated to the mapped address (209.165.200.225) on the inside interface.
Notice that the location of 192.168.100.10 is not precisely defined.
hostname(config)# alias (inside) 209.165.200.225 192.168.100.10
Note If you use the alias command to configure DNS Rewrite, proxy ARP will be performed for the mapped
address. To prevent this, disable Proxy ARP by entering the sysopt noproxyarp command after entering
the alias command.
Configuring DNS Rewrite with Two NAT Zones
To implement a DNS Rewrite scenario similar to the one shown in Figure 25-1, perform the following
steps:
Step 1 Create a static translation for the web server, as follows:
hostname(config)# static (real_ifc,mapped_ifc) mapped-address real-address netmask
255.255.255.255 dns
where the arguments are as follows:
• real_ifc—The name of the interface connected to the real addresses.
• mapped_ifc—The name of the interface where you want the addresses to be mapped.
• mapped-address—The translated IP address of the web server.
• real-address—The real IP address of the web server.
Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Step 3 Apply the access list created in Step 2 to the mapped interface. To do so, use the access-group command,
as follows:
hostname(config)# access-group acl-name in interface mapped_ifc
To Next Page
Loading...
Need help?
General