[c-nsp] ASA Static Translations / DNS Doctoring

Clue Store cluestore at gmail.com
Fri Jul 17 15:05:54 EDT 2009


Hi Roland,

I agree that this is not a good idea, solution, or practice, but when one is
requested to perform a task a particular way and that task is what generates
my revenue, best practice does not apply. Had this been my own shop, there
would have been some different engineering for this project.

Clue

On Fri, Jul 17, 2009 at 1:45 PM, Roland Dobbins <rdobbins at arbor.net> wrote:

>
> On Jul 18, 2009, at 1:08 AM, Clue Store wrote:
>
> I have several domains pointed various
>> ip's in a /27 (public block). I have one internal webserver inside of my
>> network. I would like to be able to map the several outside IP's to one
>> inside IP of my web server and perform DNS doctoring via the ASA so my
>> inside hosts can use a DNS server outside of my network and still be able
>> to
>> get to the domains
>>
>
> Not a good idea - an attacker can breathe on it, and it'll fall over,
> instant DoS.  Sticking servers behind firewalls, and NATting them, to boot,
> is extremely poor security practice.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>        Unfortunately, inefficiency scales really well.
>
>                   -- Kevin Lawton
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list