I have an ASA5505 with the base license. It is connected to a Cisco 1760 router with multple internal networks.
I have setup RIP between the ASA and the 1760, the ASA is properly feeding a default route to the 1760.
The ASA5505 has an internal IP of 192.168.1.1 and is being assigned an external IP via DHCP from the ISP.
What is odd is about this is clients on any of the other internal networks, can access the internet via a web browser. For example a client with an IP address of 192.168.2.59 can access the internet. However DNS and HTTP connections internally do not work. I can ping my internal DNS server with an IP address, but cannot ping it or any other internal clients by name. Nslookup only looks at the external DNS server (188.8.131.52) for name resolution requests. Even though there are two internal DNS servers defined. Any HTTP requests to servers on the 192.168.1.x subnet timeout using either IP address or DNS names.
I am aware of NAT exemption and I think I have properly configured it.
I have been working on this for a number of weeks, performing searches on CCO, scanning this Forum and the web and I cannot find an explanation for what is going on.
I am running version 7.2 of the ASA software.
Any help would be greatly appreciated.
I have attached a diagram of the network. Hopefully someone has configured this kind of setup before and will be able to give me an idea of what I am missing.
I have the same-security-traffic permit inter-interface and intra-interface commands in the ASA.
Very glad to hear.
You do not need the U-Turn statics any more. Stati(inside,inside) is to U-Turn a packet off the same interface it arrived. Like your 192.168.1.0/24 host with the FW as the gateway that wanted to reach 192.168.2.0/24 network. The FW has to send it right back out the same interface right?
I gave you those commands to fix the problem when you had everything broken - Gateway pointing the FW instead of the router.
Now, I have asked you to fix it the right way. So, you do not need those U-Turn translations or that sysopt command.
You can put back dns inspection.