带有DNS转换的Cisco ASA双NAT

我正在尝试在Cisco ASA 9.0（3）上设置具有DNS转换功能的双重自动NAT，并且在DNS部分遇到一些挑战。我使双NAT正常工作，因此在生产和实验室中有一台具有相同IP地址的服务器。请参阅b2masd1，名称为INSIDE（生产）和masd1，名称为DMZ（实验室）。

当您从DMZ 10.195.18.182 ping到1.195.18.182时，我看到两个方向的翻译都正确进行了...

D:10.195.18.182      S:192.168.11.101       D:1.195.18.182   S:10.195.18.182
             <-----------                         <-----------
                                           1) echo-request to 1.195.18.182
                                           nat (INSIDE,DMZ) static 1.195.18.182 dns



  S:10.195.18.182    D:192.168.11.101       S:1.195.18.182   D:10.195.18.182
              ------------>                        ------------>
      2) echo-reply to 192.168.11.101
      nat (DMZ,INSIDE) static 192.168.11.101 dns


 b2masd1                   +-----------+              masd1
 10.195.18.182      INSIDE |           | DMZ          10.195.18.182
 Mfg Server   -------------| Cisco ASA |------------  Devel Server
                           |           |
                           +-----------+

 Manufacturing                                        Development
 Network                                              Network
 Security: 100                                        Security: 50

这是我在masd1上看到的...

masd1$ /usr/sbin/ping 1.195.18.182
PING 1.195.18.182: 64 byte packets
64 bytes from 1.195.18.182: icmp_seq=0. time=0. ms
64 bytes from 1.195.18.182: icmp_seq=1. time=0. ms

----1.195.18.182 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 0/0/0
masd1$

问题是DNS查询从DMZ到INSIDE都没有得到翻译。当我从DMZ中查询b2masd1时，我希望INSIDE上的名称服务器响应10.195.18.182，然后ASA应将其转换为1.195.18.182。但是，这没有发生。如您所见，DNS条目未翻译。

masd1$ nslookup
Using /etc/hosts on:  masd1

> a2mosd1
Using /etc/hosts on:  masd1

looking up FILES
Trying DNS
Name:    b2masd1.domain.local
Address:  10.195.18.182

> exit
masd1$

谁能解释我需要做些什么才能正确翻译DNS查询？我需要查询DMZ中的b2masd1到INSIDE接口上的名称服务器以返回1.195.18.182（因为ASA将INSIDE A记录10.195.18.182转换为DMZ地址1.195.18.182）。

我已经设置了一个聊天室来协助诊断

其他调试信息

这是我的配置...

!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.195.2.197 255.255.255.248 standby 10.195.2.198
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 10.195.2.201 255.255.255.248 standby 10.195.2.202
!
object network DMZ_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!
object network DMZ_NAT_masd1
 nat (DMZ,INSIDE) static 192.168.11.101 dns
object network INSIDE_NAT_masd1
 nat (INSIDE,DMZ) static 1.195.18.182 dns
!
policy-map type inspect dns DNS_INSPECT_MAP
 parameters
  message-length maximum 512
!
policy-map global_policy
 class inspection_default
  inspect dns DNS_INSPECT_MAP
!
service-policy global_policy global

显示xlate，以防万一......

B2-DEV-FW1/DEVELOPMENT# sh xlate local 10.195.18.182
121 in use, 126 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:10.195.18.182 to INSIDE:192.168.11.101
    flags sD idle 0:00:01 timeout 0:00:00
NAT from INSIDE:10.195.18.182 to DMZ:1.195.18.182
    flags sD idle 0:03:55 timeout 0:00:00
B2-DEV-FW1/DEVELOPMENT#

显示服务策略检查dns ...

B2-DEV-FW1/DEVELOPMENT# sh service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns DNS_INSPECT_MAP, packet 15302, drop 0, reset-drop 0, v6-fail-close 0
        message-length maximum 512, drop 0
        dns-guard, count 7649
        protocol-enforcement, drop 0
        nat-rewrite, count 139
B2-DEV-FW1/DEVELOPMENT#

捕获显示从b2masd1到名称服务器（10.195.18.201）的查询。注意在INSIDE接口上发送的双DNS查询，但似乎在DMZ接口上没有。

B2-DEV-FW1/DEVELOPMENT# capture FOO interface DMZ real-time match udp host 10.195.18.182 host 10.195.18.201

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture


   1: 09:54:35.994730       10.195.18.182.52639 > 10.195.18.201.53:  udp 45
   2: 09:54:35.995218       10.195.18.201.53 > 10.195.18.182.52639:  udp 83
   3: 09:54:47.875076       10.195.18.182.52644 > 10.195.18.201.53:  udp 53
   4: 09:54:47.875549       10.195.18.201.53 > 10.195.18.182.52644:  udp 136
   5: 09:54:47.875854       10.195.18.182.52645 > 10.195.18.201.53:  udp 51
   6: 09:54:47.876297       10.195.18.201.53 > 10.195.18.182.52645:  udp 138
   7: 09:54:47.876648       10.195.18.182.52646 > 10.195.18.201.53:  udp 35
   8: 09:54:47.877075       10.195.18.201.53 > 10.195.18.182.52646:  udp 35

B2-DEV-FW1/DEVELOPMENT# capture FOO interface INSIDE real-time match udp host 192.168.11.101 host 10.195.18.201

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture


   1: 09:56:27.282608       10.195.18.182.52742 > 10.195.18.201.53:  udp 43
   2: 09:56:27.282684       192.168.11.101.52742 > 10.195.18.201.53:  udp 43
   3: 09:56:27.283081       10.195.18.201.53 > 192.168.11.101.52742:  udp 59
   4: 09:56:27.283096       10.195.18.201.53 > 10.195.18.182.52742:  udp 59

#1 楼

回答我自己的问题，以帮助将来的Google员工。我花了大约3个小时与TAC通话。我们终于找到了问题的根本原因。
解决方案是添加一个特殊的NAT条目，当它到达INSIDE接口时，它与DNS A-Record中的IP地址匹配。

object network DNS_NAT_masd1
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
 host 1.195.18.182
 nat (DMZ,INSIDE) static 10.195.18.182

当我索要指向描述DNS转换为何如此工作的文档的指针时，TAC负责人说他不知道有任何描述此行为的信息。 TAC负责人还提到，使用更多代码，ASA将知道自动转换DNS A-Record，而无需显式添加object network DNS_NAT_masd1；但是，今天这不是ASA NAT的dns关键字的工作方式。出于尚不完全清楚的原因，ASA要求DNS A-Record IP使用类似于此语法的语法来匹配NAT语句中的<proxy_addr>。

object network obj-EXAMPLE
 description NAT object explicitly for translating DNS A-Records
 host <proxy_addr>
 nat (<REAL_INTF>,<PROXY_INTF>) static <real_addr> dns

困难之处在于，如果要通过防火墙阻止常规的“数据平面” IP通信，则此配置完全是您需要做的。

这是整个配置可以...

object network DMZ_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 host 1.195.18.182
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
!
object network DMZ_NAT_masd1
 nat (DMZ,INSIDE) static 192.168.11.101
object network INSIDE_NAT_masd1
 nat (INSIDE,DMZ) static 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 nat (DMZ,INSIDE) static 10.195.18.182 dns

#2 楼

麦克风！谢谢您的分享！
我使用了两次NAT的替代方法，它也起作用了！

我有了两次NAT（ASA OS 9.5）：

nat（外部，内部）源动态ANY X目标GroupM GroupN

因此，我内部有一组服务器“ GroupN”，并将它们NAT到IP地址“ GroupM”的外部。来自外部（任何人）的客户端都可以访问我的服务器，并且当外部客户端通过ASA时，其源将替换为IP地址X。

这里无法使用dns关键字。但是，通过您的变通办法，我创建了一组辅助对象NAT：

object network My_Server1_on_Inside
 host <NATed IP of Server1>
 nat (outside,inside) static <Real IP of server1> dns

，并且DNS篡改正常工作。

BTW ，思科在其文档中表示无法完成此任务：)
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation -firewalls / 115753-dns-doctoring-asa-config.html

最好的问候，
Sergey

编程黑洞网

带有DNS转换的Cisco ASA双NAT

#1 楼

#2 楼