25-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
DNS Inspection
5. The security appliance sends the HTTP request to server.example.com on the DMZ interface.
Configuring DNS Rewrite with Three NAT Zones
To enable the NAT policies for the scenario in Figure 25-2, perform the following steps:
Step 1 Create a static translation for the web server on the DMZ network, as follows:
hostname(config)# static (dmz,outside) mapped-address real-address dns
where the arguments are as follows:
• dmz—The name of the DMZ interface of the security appliance.
• outside—The name of the outside interface of the security appliance.
• mapped-address—The translated IP address of the web server.
• real-address—The real IP address of the web server.
Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
hostname(config)# access-list acl-name extended permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Step 3 Apply the access list created in Step 2 to the outside interface. To do so, use the access-group command,
as follows:
hostname(config)# access-group acl-name in interface outside
Step 4 If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the “Configuring Application Inspection” section on
page 25-5.
Step 5 On the public DNS server, add an A-record for the web server, such as:
domain-qualified-hostname. IN A mapped-address
where domain-qualified-hostname is the hostname with a domain suffix, as in server.example.com. The
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the security appliance for the scenario shown in Figure 25-2. It
assumes DNS inspection is already enabled.
hostname(config)# static (dmz,outside) 209.165.200.225 192.168.100.10 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
To Next Page
Loading...
Need help?
General