ASA5510 how to relay dns request?

Unanswered Question
Sep 5th, 2010

My internal network is 10.201.4.0/24

I had a ASA5510 as my gateway, Its inside interface ip address is 10.201.4.254. And in asa5510,I set name server which provided by my ISP.


All my internal computer use firewall's internal interface as gateway.


But if I use 10.201.4.254 as my dns,I can not resolve any website, I can ping the name server address.  If I use the address as name server in ASA5510,I can resolve and access any website.


How to relay my internal computer's dns request? Or how to set dns in ASA5510?



User Access Verification

Password:
Type help or '?' for a list of available commands.
newasa> en
Password: ********
newasa# show run
: Saved
:
ASA Version 8.2(2)
!
hostname newasa
domain-name ×.com.cn
enable password VRIzSJfqn.dBz8oC encrypted
passwd ylb0fjK3sGYJGNdJ encrypted
names
name ×.×.×.18 Out_IP_18
name ×.×.×.22 Out_IP_22
name ×.×.×.19 Outside_interface_19
name ×.×.×.20 Out_IP_20
name 192.168.50.0 new_dhcppool
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.201.4.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address ×.×.×.21 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 210.22.70.3
name-server 202.96.209.133
domain-name ×.com.cn
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
port-object eq telnet
port-object eq 3389
object-group service group_tcp_60151-8 tcp
port-object range 60151 60158
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object icmp6
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
group-object group_tcp_60151-8
port-object eq www
access-list outside_access_in extended permit tcp any host Out_IP_20 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any host Out_IP_18 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host Out_IP_22 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any ×.×.×.16 255.255.255.248

access-list inside_nat0_outbound extended permit ip new_dhcppool 255.255.255.0 any

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool newssl_inside 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 10.201.4.0 255.255.255.0

static (inside,outside) tcp Out_IP_18 www 10.201.4.2 www netmask 255.255.255.255

static (inside,outside) tcp Out_IP_18 https 10.201.4.2 https netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60151 10.201.4.151 8080 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60158 10.201.4.158 9090 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60155 10.201.4.155 8080 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60154 10.201.4.154 8080 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60153 10.201.4.153 8080 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_20 60152 10.201.4.152 8080 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_22 ssh 10.201.4.5 ssh netmask 255.255.255.255
static (inside,outside) tcp Out_IP_22 3389 10.201.4.5 3389 netmask 255.255.255.255
static (inside,outside) tcp Out_IP_22 ftp 10.201.4.5 ftp netmask 255.255.255.255

static (inside,outside) tcp Out_IP_22 telnet 10.201.4.5 telnet netmask 255.255.255.255
static (inside,outside) tcp Out_IP_22 ftp-data 10.201.4.5 ftp-data netmask 255.255.255.255

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ×.×.×.17 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.201.4.0 255.255.255.0 inside
telnet timeout 5
ssh 10.201.4.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value newssl_inside
webvpn
  svc ask none default svc
username admin password drOfjpTS3t3j27S2 encrypted privilege 15
tunnel-group newsslconnprofile type remote-access
tunnel-group newsslconnprofile general-attributes
address-pool newssl_inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0e770bc4aee2029657c252637773ec7d
: end
newasa#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Asim Malik Mon, 09/06/2010 - 02:00

The same-security-traffic intra-interface command lets traffic enter and exit the same interface. Can you try this command if that is the case.

Asim Malik Mon, 09/06/2010 - 21:47

Where is the host from where you are sending the request located  with respoect to ASA interfaces? Suppose your host sits behidn inside interface of ASA and the dns server is also behind the inside interface, the DNS request will be blocked by the ASA because its the default behaviour to to not let the traffic go back to the interface which has the same security level as the interface from where the traffic is comming from. i'd say put that command in and go ahead anmd test

headbigger Thu, 09/09/2010 - 22:26

Thank you ,Asim Malik


I am in internal and use firewall internal interface as my dns server. And in firewall , i have configed dns client which's address provided by my ISP.


So,in internal, i can access any websites in internet.But it's not.The firewall could not resolve domain to IP.

nelba_aldovino Tue, 10/05/2010 - 02:24

hi Farrak Wan,


how did you configure the below setting? Becaus e i can't configure that on my ASA 5510.

How did you do that?


service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0e770bc4aee2029657c252637773ec7d



Thank you so much

Actions

This Discussion