Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS Resolution - Not Working

Unanswered Question
Oct 2nd, 2009
User Badges:


My requirement is Local DNS Server on LAN to resolve all internet resolution for LAN Users.

On ASA I have natted public IP to DNS server IP, but doesnt seems to work.

Any Help.

ASA config is attached.

DNS Server on LAN :

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Fri, 10/02/2009 - 10:04
User Badges:
  • Silver, 250 points or more

Can you check these

- are you able to do dns lookup from the LAN DNS server itself ? if yes, then did you configure this server as a dns forwarder ?

- also on the ASA, is inspect DNS still there?

Amin Shaikh Fri, 10/02/2009 - 11:18
User Badges:

From LAN DNS Server I cannot resolve internet-Host. I have DNS Forwarder configured on LAN DNS Server.

On ASA I have tested with INSPECT DNS and without. But no Luck...

Is the ASA Configuration Correct for my requirement.

dhananjoy chowdhury Sat, 10/03/2009 - 02:48
User Badges:
  • Silver, 250 points or more

Your fw inside ip address, but dns server is is this on some other vlan behind some other L3 device? if so, does the firewall has the route for reaching the network 192.168.100.X

Also you may try to to remove the static NAT and do a hide nat with the outside interface. Then try to access internet from the local dns server.

no static (inside,Outside)

global (Outside) 1 interface

nat (inside) 1

If it works, then problem here is may be with arp-proxy or interface ACL on your internet router .

Try adding a static arp on your internet router for the public IP you are using for static NAT.

Amin Shaikh Sat, 10/03/2009 - 11:40
User Badges:


Reachability is there.

I didnt understood adding static arp on internet router. What do you mean.

Please explain

Kureli Sankar Sun, 10/04/2009 - 05:40
User Badges:
  • Cisco Employee,

That static ARP on the upstream router is to send packets destined to the PUBLIC address towards the firewall's outside interface's MAC address.

Pls. try loading google.com by its IP address in the browser.


If this works then, for one host on the inside change the DNS server's ip address to and see if you get name resolution and be able to load the page by the name and not IP address.

Let us know how that goes.

Amin Shaikh Sun, 10/04/2009 - 08:28
User Badges:

Thank You. didnt help.

Reloading doesnt help as well.

With name or IP it doesnt browse.

Any helpful internet link showing steps required on windows 2003 Server and ASA to recheck the config.

Is the config done on ASA (1st post) correct


This Discussion