Cisco Cisco ASA 5505 Adaptive Security Appliance 기술 매뉴얼
!−−− All traffic between the DNS server and the ASA.
access−list DNSOUTCAP extended permit ip host 172.20.1.2 host
172.22.1.161
!−−− All traffic between the ASA and the DNS server.
The ACL for traffic on the inside interface:
access−list DNSINCAP extended permit ip host 192.168.100.2 host
172.22.1.161
!−−− All traffic between the client and the DNS server.
access−list DNSINCAP extended permit ip host 172.22.1.161 host
192.168.100.2
!−−− All traffic between the DNS server and the client.
♦
Create the capture instance(s):
ciscoasa#capture DNSOUTSIDE access−list DNSOUTCAP interface outside
!−−− This capture collects traffic on the outside interface that matches
!−−− the ACL DNSOUTCAP.
ciscoasa# capture DNSINSIDE access−list DNSINCAP interface inside
!−−− This capture collects traffic on the inside interface that matches
!−−− the ACL DNSINCAP.
2.
View the capture(s).
Here is what the example captures look like after some DNS traffic has been passed:
ciscoasa#show capture DNSOUTSIDE
2 packets captured
1: 14:07:21.347195 172.20.1.2.1025 > 172.22.1.161.53: udp 36
2: 14:07:21.352093 172.22.1.161.53 > 172.20.1.2.1025: udp 93
2 packets shown
ciscoasa#show capture DNSINSIDE
2 packets captured
1: 14:07:21.346951 192.168.100.2.57225 > 172.22.1.161.53: udp 36
2: 14:07:21.352124 172.22.1.161.53 > 192.168.100.2.57225: udp 93
2 packets shown
3.
(Optional) Copy the capture(s) to a TFTP server in PCAP format for analysis in another application.
Applications that can parse the PCAP format can show additional details such as the name and IP
address in DNS A records.
address in DNS A records.
ciscoasa#copy /pcap capture:DNSINSIDE tftp
...
ciscoasa#copy /pcap capture:DNSOUTSIDE tftp
4.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
DNS Rewrite Is Not Performed
Make sure that you have DNS inspection configured on the security appliance.