当您从DMZ 10.195.18.182 ping到1.195.18.182时,我看到两个方向的翻译都正确进行了...
D:10.195.18.182 S:192.168.11.101 D:1.195.18.182 S:10.195.18.182
<----------- <-----------
1) echo-request to 1.195.18.182
nat (INSIDE,DMZ) static 1.195.18.182 dns
S:10.195.18.182 D:192.168.11.101 S:1.195.18.182 D:10.195.18.182
------------> ------------>
2) echo-reply to 192.168.11.101
nat (DMZ,INSIDE) static 192.168.11.101 dns
b2masd1 +-----------+ masd1
10.195.18.182 INSIDE | | DMZ 10.195.18.182
Mfg Server -------------| Cisco ASA |------------ Devel Server
| |
+-----------+
Manufacturing Development
Network Network
Security: 100 Security: 50
这是我在masd1上看到的...
masd1$ /usr/sbin/ping 1.195.18.182
PING 1.195.18.182: 64 byte packets
64 bytes from 1.195.18.182: icmp_seq=0. time=0. ms
64 bytes from 1.195.18.182: icmp_seq=1. time=0. ms
----1.195.18.182 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0
masd1$
问题是DNS查询从DMZ到INSIDE都没有得到翻译。当我从DMZ中查询b2masd1时,我希望INSIDE上的名称服务器响应10.195.18.182,然后ASA应将其转换为1.195.18.182。但是,这没有发生。如您所见,DNS条目未翻译。
masd1$ nslookup
Using /etc/hosts on: masd1
> a2mosd1
Using /etc/hosts on: masd1
looking up FILES
Trying DNS
Name: b2masd1.domain.local
Address: 10.195.18.182
> exit
masd1$
谁能解释我需要做些什么才能正确翻译DNS查询?我需要查询DMZ中的b2masd1到INSIDE接口上的名称服务器以返回1.195.18.182(因为ASA将INSIDE A记录10.195.18.182转换为DMZ地址1.195.18.182)。
我已经设置了一个聊天室来协助诊断
其他调试信息
这是我的配置...
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.195.2.197 255.255.255.248 standby 10.195.2.198
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 10.195.2.201 255.255.255.248 standby 10.195.2.202
!
object network DMZ_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!
object network DMZ_NAT_masd1
nat (DMZ,INSIDE) static 192.168.11.101 dns
object network INSIDE_NAT_masd1
nat (INSIDE,DMZ) static 1.195.18.182 dns
!
policy-map type inspect dns DNS_INSPECT_MAP
parameters
message-length maximum 512
!
policy-map global_policy
class inspection_default
inspect dns DNS_INSPECT_MAP
!
service-policy global_policy global
显示xlate,以防万一......
B2-DEV-FW1/DEVELOPMENT# sh xlate local 10.195.18.182
121 in use, 126 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:10.195.18.182 to INSIDE:192.168.11.101
flags sD idle 0:00:01 timeout 0:00:00
NAT from INSIDE:10.195.18.182 to DMZ:1.195.18.182
flags sD idle 0:03:55 timeout 0:00:00
B2-DEV-FW1/DEVELOPMENT#
显示服务策略检查dns ...
B2-DEV-FW1/DEVELOPMENT# sh service-policy inspect dns
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns DNS_INSPECT_MAP, packet 15302, drop 0, reset-drop 0, v6-fail-close 0
message-length maximum 512, drop 0
dns-guard, count 7649
protocol-enforcement, drop 0
nat-rewrite, count 139
B2-DEV-FW1/DEVELOPMENT#
捕获显示从b2masd1到名称服务器(10.195.18.201)的查询。注意在INSIDE接口上发送的双DNS查询,但似乎在DMZ接口上没有。
B2-DEV-FW1/DEVELOPMENT# capture FOO interface DMZ real-time match udp host 10.195.18.182 host 10.195.18.201
Warning: using this option with a slow console connection may
result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 09:54:35.994730 10.195.18.182.52639 > 10.195.18.201.53: udp 45
2: 09:54:35.995218 10.195.18.201.53 > 10.195.18.182.52639: udp 83
3: 09:54:47.875076 10.195.18.182.52644 > 10.195.18.201.53: udp 53
4: 09:54:47.875549 10.195.18.201.53 > 10.195.18.182.52644: udp 136
5: 09:54:47.875854 10.195.18.182.52645 > 10.195.18.201.53: udp 51
6: 09:54:47.876297 10.195.18.201.53 > 10.195.18.182.52645: udp 138
7: 09:54:47.876648 10.195.18.182.52646 > 10.195.18.201.53: udp 35
8: 09:54:47.877075 10.195.18.201.53 > 10.195.18.182.52646: udp 35
B2-DEV-FW1/DEVELOPMENT# capture FOO interface INSIDE real-time match udp host 192.168.11.101 host 10.195.18.201
Warning: using this option with a slow console connection may
result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 09:56:27.282608 10.195.18.182.52742 > 10.195.18.201.53: udp 43
2: 09:56:27.282684 192.168.11.101.52742 > 10.195.18.201.53: udp 43
3: 09:56:27.283081 10.195.18.201.53 > 192.168.11.101.52742: udp 59
4: 09:56:27.283096 10.195.18.201.53 > 10.195.18.182.52742: udp 59
#1 楼
回答我自己的问题,以帮助将来的Google员工。我花了大约3个小时与TAC通话。我们终于找到了问题的根本原因。解决方案是添加一个特殊的NAT条目,当它到达INSIDE接口时,它与DNS A-Record中的IP地址匹配。
object network DNS_NAT_masd1
description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
host 1.195.18.182
nat (DMZ,INSIDE) static 10.195.18.182
当我索要指向描述DNS转换为何如此工作的文档的指针时,TAC负责人说他不知道有任何描述此行为的信息。 TAC负责人还提到,使用更多代码,ASA将知道自动转换DNS A-Record,而无需显式添加
object network DNS_NAT_masd1
;但是,今天这不是ASA NAT的dns
关键字的工作方式。出于尚不完全清楚的原因,ASA要求DNS A-Record IP使用类似于此语法的语法来匹配NAT语句中的<proxy_addr>
。object network obj-EXAMPLE
description NAT object explicitly for translating DNS A-Records
host <proxy_addr>
nat (<REAL_INTF>,<PROXY_INTF>) static <real_addr> dns
困难之处在于,如果要通过防火墙阻止常规的“数据平面” IP通信,则此配置完全是您需要做的。
这是整个配置可以...
object network DMZ_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
host 10.195.18.182
description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
host 1.195.18.182
description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
!
object network DMZ_NAT_masd1
nat (DMZ,INSIDE) static 192.168.11.101
object network INSIDE_NAT_masd1
nat (INSIDE,DMZ) static 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
nat (DMZ,INSIDE) static 10.195.18.182 dns
#2 楼
麦克风!谢谢您的分享!我使用了两次NAT的替代方法,它也起作用了!
我有了两次NAT(ASA OS 9.5):
nat(外部,内部)源动态ANY X目标GroupM GroupN
因此,我内部有一组服务器“ GroupN”,并将它们NAT到IP地址“ GroupM”的外部。来自外部(任何人)的客户端都可以访问我的服务器,并且当外部客户端通过ASA时,其源将替换为IP地址X。
这里无法使用dns关键字。但是,通过您的变通办法,我创建了一组辅助对象NAT:
object network My_Server1_on_Inside
host <NATed IP of Server1>
nat (outside,inside) static <Real IP of server1> dns
,并且DNS篡改正常工作。
BTW ,思科在其文档中表示无法完成此任务:)
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation -firewalls / 115753-dns-doctoring-asa-config.html
最好的问候,
Sergey