Configuring Dns Rewrite With Two Nat Zones - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 22
Applying Application Layer Protocol Inspection
Using the nat command is similar to using the static command except that DNS Rewrite is based on
Note
dynamic translation instead of a static mapping.
Configuring DNS Rewrite with Two NAT Zones
To implement a DNS Rewrite scenario similar to the one shown in
steps:
Step 1
Create a static translation for the web server, as follows:
hostname(config)# static (inside,outside) mapped-address real-address netmask
255.255.255.255 dns
where the arguments are as follows:
•
•
•
•
Step 2
Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
hostname(config)# access-list acl-name permit tcp any host mapped-address eq port
where the arguments are as follows:
acl-name—The name you give the access-list.
mapped-address—The translated IP address of the web server.
port—The TCP port that the web server listens to for HTTP requests.
Apply the access list created in
Step 3
as follows.
hostname(config)# access-group acl-name in interface outside
If DNS inspection is disabled or if you want to change the maximum DNS packet length, configure DNS
Step 4
inspection. DNS application inspection is enabled by default with a maximum DNS packet length of 512
bytes. For configuration instructions, see the
Step 5
On the public DNS server, add an A-record for the web server, such as:
domain-qualified-hostname. IN A mapped-address
where
period after the hostname is important. mapped-address is the translated IP address of the web server.
The following example configures the FWSM for the scenario shown in
inspection is already enabled.
Example 22-2 DNS Rewrite with Two NAT Zones
hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.1 netmask
255.255.255.255 dns
hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
inside—The name of the inside interface of the FWSM.
outside—The name of the outside interface of the FWSM.
mapped-address—The translated IP address of the web server.
real-address—The real IP address of the web server.
domain-qualified-hostname
Step 2
to the outside interface. To do so, use the access-group command,
"Configuring DNS Inspection" section on page
is the hostname with a domain suffix, as in server.example.com. The
DNS Inspection
Figure
22-4, perform the following
Figure
22-4. It assumes DNS
22-24.
22-21
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
