[c-nsp] ASA Static Translations / DNS Doctoring

Luan Nguyen luan at netcraftsmen.net
Fri Jul 17 14:35:43 EDT 2009 

Very creative use of secondary addresses! :)

Regards,

------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
------------------------------------


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrew Yourtchenko
Sent: Friday, July 17, 2009 2:28 PM
To: Clue Store
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Static Translations / DNS Doctoring

On Fri, 17 Jul 2009, Clue Store wrote:

> Hi All,
>
> I'm trying to do DNS doctoring on an asa and for specific reasons I need
to
> map several different (public) outside IP's the one inside ip as shown
> below.
>
> *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
> dns*
> *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255
> dns*

With "static (inside,outside) AddrPublic AddrPrivate netmask 
255.255.255.255 dns" in the config,

you're saying:

1) when anyone tries to talk to AddrPublic from the outside, they will get
to AddrPrivate on the inside
2) when AddrPrivate tries to talk to anyone on the outside, it will be seen
there as AddrPublic
3) the DNS response containing AddrPrivate or AddrPublic, depending on 
where it is arriving, will have this address translated accordingly. (so 
the DNS server on the outside replying AddrPublic to someone on inside, 
will have this translated to AddrPrivate; and inside DNS server which 
replies the AddrPrivate to the outside, will have it translated to 
AddrPublic.)

The (3) is what the "dns" keyword turns on when it is present.

The symmetry of the behaviour prevents having 'many to one' behaviour 
that you are looking for - because then it would encounter the conflict or 
unpredictability when going outbound.

The simplest way around is to grab a few secondary 
rfc1918 addresses and assign them to the host and do the mapping between 
those and the public addresses.

For your /27 case, having 30 secondaries does not look terribly exciting, 
but assuming the host can survive that, it should do the trick.

cheers,
andrew

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list