Chapter 22
Applying Application Layer Protocol Inspection
2.
3.
4.
5.
When a web client on the inside network attempts to access http://server.example.com, the sequence of
events is as follows:
1.
2.
3.
4.
5.
Configuring DNS Rewrite with Three NAT Zones
To enable the NAT policies for the scenario in
Create a static translation for the web server on the DMZ network, as follows:
Step 1
hostname(config)# static (dmz,outside) mapped-address real-address dns
where the arguments are as follows:
•
•
•
•
Step 2
Create an access list that permits traffic to the port that the web server listens to for HTTP requests.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
The DNS server responds with the IP address 209.165.200.225 in the reply.
The web client sends its HTTP request to 209.165.200.225.
The packet from the outside host reaches the FWSM at the outside interface.
The static rule translates the address 209.165.200.225 to 192.168.100.10 and the FWSM directs the
packet to the web server on the DMZ.
The host running the web client sends the DNS server a request for the IP address of
server.example.com.
The DNS server responds with the IP address 209.165.200.225 in the reply.
The FWSM receives the DNS reply and submits it to the DNS application inspection engine.
The DNS application inspection engine does the following:
Searches for any NAT rule to undo the translation of the embedded A-record address
a.
"[outside]:209.165.200.5". In this example, it finds the following static configuration.
static (dmz,outside) 209.165.200.225 192.168.100.10 dns
Uses the static rule to rewrite the A-record as follows because the dns option is included:
b.
[outside]:209.165.200.225 --> [dmz]:192.168.100.10
If the dns option were not included with the static command, DNS Rewrite would not
Note
be performed and other processing for the packet continues.
Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
c.
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step
for the packet continues.
The FWSM sends the HTTP request to server.example.com on the DMZ interface.
dmz—The name of the DMZ interface of the FWSM.
outside—The name of the outside interface of the FWSM.
mapped-address—The translated IP address of the web server.
real-address—The real IP address of the web server.
b
would be reverted and other processing
Figure
22-5, perform the following steps:
DNS Inspection
22-23