Cisco ASA 防火墙阻止对内部托管 DNS 服务器的请求

tag-icon tag-icon domain-name-system nat tcp cisco-asa dns-hosting
Cisco ASA 防火墙阻止对内部托管 DNS 服务器的请求

我在 Cisco ASA 防火墙后面有一个 DNS 服务器。Cisco 防火墙正在执行 NAT。当在网络内部时,我可以直接通过 NSLOOKUP 访问服务器。当客户端在外部时,请求会超时。

假设DNS服务器的内部IP地址为10.0.0.10,公网IP地址为1.2.3.4:

我的相关配置:

object network NS1_SERVVE_COM_dns
 host 10.0.0.10

access-list outside_in extended permit tcp any object NS1_SERVVE_COM_dns eq domain 

object network NS1_SERVVE_COM_dns
 nat (inside,outside) static 1.2.3.4 service tcp domain domain

我还输入了以下内容以允许 Active Directory 解析互联网名称:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 8192
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

我尝试将 TCP 更改为 UDP,但结果是一样的。有什么想法吗?

防火墙# 数据包跟踪器输入外部 tcp 4.2.2.1 域 1.2.3.4 域$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NS1_SERVVE_COM_dns
 nat (inside,outside) static 1.2.3.4 service tcp domain domain 
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/53 to 10.0.0.10/53

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any object NS1_SERVVE_COM_dns eq domain 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:       
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NS1_SERVVE_COM_dns
 nat (inside,outside) static 1.2.3.4 service tcp domain domain 
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 7845414, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

相关内容