Scribd
Upload
24 views

DNS Doctoring Using "Static"

The document discusses configuring an ASA firewall to perform DNS doctoring for internal users connecting to an external CA server. It describes configuring a static NAT on the ASA to translate the DNS name "WWW" to the CA server's IP address. It also shows configuring the internal router for DNS lookups and verifying name resolution and connectivity to the CA server by its DNS name.

Uploaded by

Obi A Agusiobo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

DNS Doctoring Using "Static"

The document discusses configuring an ASA firewall to perform DNS doctoring for internal users connecting to an external CA server. It describes configuring a static NAT on the ASA to translate the DNS name "WWW" to the CA server's IP address. It also shows configuring the internal router for DNS lookups and verifying name resolution and connectivity to the CA server by its DNS name.

Uploaded by

Obi A Agusiobo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

CCIE Security V4 Technology Labs  Section 5:

Perimeter Security and Services - ASA Firewalls


DNS Doctoring Using “Static”
Last updated: May 10, 2013

Task
Using the same topology as in the previous task, configure ASA3 so that when internal users browse
to the CA server using the DNS name "WWW", they can successfully connect.
Allow the Test PC to resolve the IP of the CA server and connect via HTTP.

Configuration
In ASA 8.4 and 8.6, the alias command has been deprecated; however, the same functionality can
be configured using the dns option on a static command. This feature is also a capability of ASA
8.2, but in this task it is not tested.

R2:

ip host WWW 150.51.0.100

ASA3:

object network CA-Server


host 10.0.1.100
nat (inside,outside) static 150.51.0.100 dns
!
access-list www extended permit tcp any host 10.0.1.100 eq www
!
access-group www in interface outside
!

Verification
Enable R3 for DNS lookups using R2.

Rack1R3#
Rack1R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R3(config)#ip name-server 150.51.0.2
Rack1R3(config)#ip domain-lookup
Rack1R3(config)#end

Ping the DNS name of the CA server.

Rack1R3#ping WWW

Translating "WWW"...domain server (150.51.0.2) [OK]

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.0.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Rack1R3#

You might also like