Hello All!
I had an interesting day yesterday! I didn’t have any rack-rentals scheduled as i was scheduled to be spending most of my day doing some work-related stuff. I did that till about 3 PM and then i fired up good ‘ol GNS3 and started doing some small labs. I had forgotten how much FUN this was! 
Here are a couple of things that i labbed yesterday :
- DNS rewrite on the ASAs
- This was a simple topic but i have issues getting this to work 100% of the time, so i decided to spend some time labbing this. Only then did i figure out how complex this actually is. I was referring to the Doc-cd page for “Application inspection” on the ASA and i found some very interesting scenarios(one in particular) which i wanted to share with you.
- It’s called DNS rewrite with 3 NAT zones
- We all know how DNS rewrite works. Most of the times, out of habit, we generally configure only 2 NAT zones when we have to test this (ex : inside,outside) . So what happens is , the “A-record” in the DNS response gets translated according to the static nat entry.
- Now, add another zone. It gets interesting now. What happens if, the user is on the inside, the web-server is on the dmz and the DNS server is on the outside. How does rewrite actually work. For this i found an awesome section -> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1336066 , which gives us a clear picture on how this happens. I also labbed this up and i was happy to see it working as expected.
- I also tried the “alias” command and that worked too.
- Local IOS command authorization
- I was revising IPX Vol 2 – Lab 11 , and i found that i was n0t too confident about the local command authorization section. So , i fired up a small lab and proceeded to do it. I’m now confident about how this works and i’m sure i could work my way through this task , if i face it again.
- AAA Cut-through-proxy on the ASA
- I had configured regular CTP on the ASA before ( aaa authentication match <ACL> inside <method>) . But i was wondering what the “aaa authentication listener” command did. So i read up on some documentation ( which , i must say , i’m not very impressed with ) and i started configuring this.
- I learnt that, by entering the “aaa authentication listener” command with the “redirect” , we are redirected to a fancy new page where we have to enter our credentials , instead of the usual pop-up box that we usually get.
- But, without the redirect keyword, it performs CTP just the usual way . I don’t see any difference in adding the aaa authentication listener command. If someone knows the difference, i’d love to know what it is?!
One thing which i do regularly is to revisit the doc-cd to read about the order of processing of the classes/actions in policy-maps on the ASAs. I find this VERY helpful http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1083060 as i go about labbing. This can definitely make/break a configuration and i would suggest you are well versed with it.
Today, i have a rack-rental scheduled where i’m going to revisit INE vol2 – lab 4 . I’ll be keeping notes on how it went and i’ll definitely share it with you tomorrow.
Have a great day!
Cheers,
TacACK
