带有DNS转换的Cisco ASA双NAT

11

我正在尝试在Cisco ASA 9.0(3)上设置具有DNS转换功能的双重自动NAT,并且在DNS部分遇到一些挑战。我使双NAT正常工作,因此在生产环境和实验室中有一台具有相同IP地址的服务器。请参见b2masd1,名称为INSIDE(生产)和masd1,名称为DMZ(实验室)。

当您从DMZ 10.195.18.182 ping到1.195.18.182时,我看到双向翻译正确进行...

D:10.195.18.182      S:192.168.11.101       D:1.195.18.182   S:10.195.18.182
             <-----------                         <-----------
                                           1) echo-request to 1.195.18.182
                                           nat (INSIDE,DMZ) static 1.195.18.182 dns



  S:10.195.18.182    D:192.168.11.101       S:1.195.18.182   D:10.195.18.182
              ------------>                        ------------>
      2) echo-reply to 192.168.11.101
      nat (DMZ,INSIDE) static 192.168.11.101 dns


 b2masd1                   +-----------+              masd1
 10.195.18.182      INSIDE |           | DMZ          10.195.18.182
 Mfg Server   -------------| Cisco ASA |------------  Devel Server
                           |           |
                           +-----------+

 Manufacturing                                        Development
 Network                                              Network
 Security: 100                                        Security: 50

这就是我在masd1上看到的...

masd1$ /usr/sbin/ping 1.195.18.182
PING 1.195.18.182: 64 byte packets
64 bytes from 1.195.18.182: icmp_seq=0. time=0. ms
64 bytes from 1.195.18.182: icmp_seq=1. time=0. ms

----1.195.18.182 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 0/0/0
masd1$

问题是从DMZ到INSIDE的DNS查询得到转换。当我从DMZ中查询b2masd1时,我希望INSIDE上的名称服务器响应10.195.18.182,然后ASA应将其转换为1.195.18.182。但是,这没有发生。如您所见,DNS条目未翻译。

masd1$ nslookup
Using /etc/hosts on:  masd1

> a2mosd1
Using /etc/hosts on:  masd1

looking up FILES
Trying DNS
Name:    b2masd1.domain.local
Address:  10.195.18.182

> exit
masd1$

谁能解释我需要做什么才能正确翻译DNS查询?我需要查询DMZ中的b2masd1到INSIDE接口上的名称服务器以返回1.195.18.182(因为ASA将INSIDE A记录10.195.18.182转换为DMZ地址1.195.18.182)。

我已经建立了一个聊天室来协助诊断

其他调试信息

这是我的配置...

!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.195.2.197 255.255.255.248 standby 10.195.2.198
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 10.195.2.201 255.255.255.248 standby 10.195.2.202
!
object network DMZ_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!
object network DMZ_NAT_masd1
 nat (DMZ,INSIDE) static 192.168.11.101 dns
object network INSIDE_NAT_masd1
 nat (INSIDE,DMZ) static 1.195.18.182 dns
!
policy-map type inspect dns DNS_INSPECT_MAP
 parameters
  message-length maximum 512
!
policy-map global_policy
 class inspection_default
  inspect dns DNS_INSPECT_MAP
!
service-policy global_policy global

显示xlate,以防万一。

B2-DEV-FW1/DEVELOPMENT# sh xlate local 10.195.18.182
121 in use, 126 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:10.195.18.182 to INSIDE:192.168.11.101
    flags sD idle 0:00:01 timeout 0:00:00
NAT from INSIDE:10.195.18.182 to DMZ:1.195.18.182
    flags sD idle 0:03:55 timeout 0:00:00
B2-DEV-FW1/DEVELOPMENT#

显示服务政策检查DNS ...

B2-DEV-FW1/DEVELOPMENT# sh service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns DNS_INSPECT_MAP, packet 15302, drop 0, reset-drop 0, v6-fail-close 0
        message-length maximum 512, drop 0
        dns-guard, count 7649
        protocol-enforcement, drop 0
        nat-rewrite, count 139
B2-DEV-FW1/DEVELOPMENT#

捕获显示从b2masd1到名称服务器(10.195.18.201)的查询。注意,在INSIDE接口上发送的双DNS查询,但在DMZ接口上似乎没有。

B2-DEV-FW1/DEVELOPMENT# capture FOO interface DMZ real-time match udp host 10.195.18.182 host 10.195.18.201

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture


   1: 09:54:35.994730       10.195.18.182.52639 > 10.195.18.201.53:  udp 45
   2: 09:54:35.995218       10.195.18.201.53 > 10.195.18.182.52639:  udp 83
   3: 09:54:47.875076       10.195.18.182.52644 > 10.195.18.201.53:  udp 53
   4: 09:54:47.875549       10.195.18.201.53 > 10.195.18.182.52644:  udp 136
   5: 09:54:47.875854       10.195.18.182.52645 > 10.195.18.201.53:  udp 51
   6: 09:54:47.876297       10.195.18.201.53 > 10.195.18.182.52645:  udp 138
   7: 09:54:47.876648       10.195.18.182.52646 > 10.195.18.201.53:  udp 35
   8: 09:54:47.877075       10.195.18.201.53 > 10.195.18.182.52646:  udp 35

B2-DEV-FW1/DEVELOPMENT# capture FOO interface INSIDE real-time match udp host 192.168.11.101 host 10.195.18.201

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture


   1: 09:56:27.282608       10.195.18.182.52742 > 10.195.18.201.53:  udp 43
   2: 09:56:27.282684       192.168.11.101.52742 > 10.195.18.201.53:  udp 43
   3: 09:56:27.283081       10.195.18.201.53 > 192.168.11.101.52742:  udp 59
   4: 09:56:27.283096       10.195.18.201.53 > 10.195.18.182.52742:  udp 59
cisco  cisco-asa  firewall  nat  dns 
迈克·彭宁顿
source

Answers:

8

回答我自己的问题,以帮助将来的Google员工。我花了大约3个小时与TAC通话。我们终于找到了问题的根本原因。

解决方案是添加一个特殊的NAT条目,当它到达INSIDE接口时,该条目与DNS A-Record中的IP地址匹配。

object network DNS_NAT_masd1
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
 host 1.195.18.182
 nat (DMZ,INSIDE) static 10.195.18.182

当我要求找到描述DNS转换为何如此工作的文档的指针时,TAC负责人说他不知道有任何描述此行为的信息。TAC负责人还提到,使用更多代码,ASA会知道无需显式添加即可自动转换DNS A-Record object network DNS_NAT_masd1。但是,今天这不是dnsASA NAT关键字的工作方式。出于尚不完全清楚的原因,ASA要求DNS A-Record IP <proxy_addr>使用类似于以下语法来匹配NAT语句中的...。

object network obj-EXAMPLE
 description NAT object explicitly for translating DNS A-Records
 host <proxy_addr>
 nat (<REAL_INTF>,<PROXY_INTF>) static <real_addr> dns

困难在于,如果要通过防火墙阻止常规的“数据平面” IP通信,则此配置恰好是您需要执行的操作。

这是整个有效的配置...

object network DMZ_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT DMZ src 10.195.18.182 to INSIDE src 192.168.11.101
object network INSIDE_NAT_masd1
 host 10.195.18.182
 description xlate masd1 NAT INSIDE src 10.195.18.182 to DMZ src 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 host 1.195.18.182
 description xlate A-Record DMZ src 1.195.18.182 to INSIDE src 10.195.18.182
!
object network DMZ_NAT_masd1
 nat (DMZ,INSIDE) static 192.168.11.101
object network INSIDE_NAT_masd1
 nat (INSIDE,DMZ) static 1.195.18.182
!!! DNS_NAT_masd1 is new
object network DNS_NAT_masd1
 nat (DMZ,INSIDE) static 10.195.18.182 dns
迈克·彭宁顿
source
1

麦克风!感谢您分享这一点!我将此解决方法与两次NAT一起使用,它也有效!

我有两次NAT(ASA OS v 9.5):

nat(外部,内部)源动态ANY X目标GroupM GroupN

因此,我内部有一组服务器“ GroupN”,然后将它们NAT到外部,以IP地址“ GroupM”。外部客户端(任何客户端)都可以访问我的服务器,当外部客户端通过ASA时,其源将替换为IP地址X。

这里不可能使用dns关键字。但是通过您的解决方法,我创建了一组辅助对象NAT:

object network My_Server1_on_Inside
 host <NATed IP of Server1>
 nat (outside,inside) static <Real IP of server1> dns

而且我的DNS篡改工作正常。

顺便说一句,思科在其文档中表示无法完成此任务:) http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/ 115753-dns-doctoring-asa-config.html

最好的问候,谢尔盖

谢尔盖·伊万诺夫(Sergey Ivanov)
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.