DNS Inspection
hostname(config)# access-list acl-name permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access-list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Apply the access list created in
Step 3
as follows:
hostname(config)# access-group acl-name in interface outside
If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
Step 4
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the
On the public DNS server, add an A-record for the web server, such as:
Step 5
domain-qualified-hostname. IN A mapped-address
where
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the FWSM for the scenario shown in
inspection is already enabled.
Example 22-3 DNS Rewrite with Three NAT Zones
hostname(config)# static (dmz,outside) 209.165.200.225 192.168.100.10 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
hostname(config)# access-group 101 in interface outside
This configuration requires the following A-record on the DNS server:
server.example.com. IN A 209.165.200.225
Configuring DNS Inspection
DNS inspection is enabled by default.
To enable DNS inspection (if it has been previously disabled) or to change the default port used for
receiving DNS traffic, perform the following steps:
Create a class map or modify an existing class map to identify DNS traffic. Use the class-map command
Step 1
to do so, as follows.
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Use the match port command to identify DNS traffic. The default port for DNS is UDP port 53.
Step 2
hostname(config-cmap)# match port udp eq 53
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-24
Step 2
domain-qualified-hostname
Chapter 22
to the outside interface. To do so, use the access-group command,
"Configuring DNS Inspection" section on page
is the hostname with a domain suffix, as in server.example.com. The
Applying Application Layer Protocol Inspection
Figure
22-5. It assumes DNS
22-24.
OL-20748-01