User Obtaining DNS Resolution from the Outside
Before the release of version 7.0, you would use the alias command to modify DNS server
replies. As for version 7.0, this feature has been integrated into the translation commands,
such as the static command. Using the example shown in Figure 6-2, you would use the
following command to create the DNS reply modification:
Pix(config)# static (inside,outside) 198.133.219.25 10.1.33.3 netmask 255.255.255.255
You can use DNS doctoring to manipulate the DNS replies for servers that exist outside your
network, with Outside NAT enabled. Using this process will allow you to restrict your users
to only destination IP addresses that reside on the Inside subnet, shielding them from the
possibility of relying on outside DNS problems. Using the example shown in Figure 6-3, you
would use the following command to create the DNS reply modification:
Pix(config)# static (outside,inside) 10.1.33.3 198.133.219.25 netmask
255.255.255.255
Web Server
www.cisco.com
10.1.13.3
5. HTTP request to
10.1.13.3.
DNS Server
4. The Security Appliance applies
address translation to the
destination address and to
the embedded IP address
of the web server.
198.133.216.25 10.1.13.3
3. DNS server replies with
198.133.219.25.
1. Request for www.cisco.com
goes out to Security Appliance.
Workstation
User
10.1.13.126
2. Security Appliance
translates the non-routable
source addressin the IP
header and forwards the
request to the ISP network
on its outside interface.