How to configure DNS on ASA firewall ?

Unanswered Question
Jennifer Halim Tue, 09/07/2010 - 04:37
User Badges:
  • Cisco Employee,

How is the user getting the IP Address? Is it through DHCP, and which device is the DHCP server? DNS settings are normally configured via the DHCP configuration. If you do not have internal DNS server, you would need to assign DNS servers that have been assigned by your ISP on the DHCP configuration, and/or manually configure the DNS settings.

Are you able to access the internet via IP Address?


Lan users are configured manually with ip address. i didnt use DHCP for that. I also use command

dns lookup inside

dns name-server  (dns server provided by ISP)

but still i am not able to connect to internet.

I am having cisco router at front end. firewall outside address is routers inside address.

when i connect through router bypassing firewall i am able to connect to internet..

Whats the possibal problem ?

Nagaraja Thanthry Tue, 09/07/2010 - 04:40
User Badges:
  • Cisco Employee,


Can you please check the following on your configuration?

1. You have configured a default route pointing to your ISP router IP

route outside "ISP gw"

2. You have configured dynamic NAT rules for inside hosts

global (outside) 1 interface

nat (inside) 1

3. You do not have any access-list entries applied to inside interface that

is blocking traffic from inside to internet

4. You do not have any NAT rule that bypasses the NAT rules in the second


After verifying the above steps, if things are still not working, can you

please post your configuration here?



Nagaraja Thanthry Tue, 09/07/2010 - 04:56
User Badges:
  • Cisco Employee,


What is the DNS server IP you are using? Try using on your PC and

see if you are able to connect to internet. Also, try pinging your default

gateway (Router IP) from the PC to make sure that the traffic is going out

of the firewall and is returning fine.



Nagaraja Thanthry Tue, 09/07/2010 - 05:08
User Badges:
  • Cisco Employee,

Hello Vinayak,

On your PC, what is the DNS setting? Are you pointing to the ASA or are you

pointing to the ISP DNS server? Can you do a NSLOOKUP for a domain and see

if you get a response?



sachinga.hcl Tue, 09/07/2010 - 04:52
User Badges:
  • Silver, 250 points or more

Hi Vinayak,

ASA can not act as a DNS server or proxy DNS or dns caching only server.

Have you configured the Default Route towards the ISP (assume default gateway is

ASA5520(config)# route outside 1

Here are the basic config I suppose you have done already on your ASA firewall:

Step1: Configure a privileged level password (enable password)

By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5520(config)# enable password mysecretpassword

Step2: Configure the public outside interface

ASA5520(config)# interface Ethernet0/0
ASA5520(config-if)# nameif outside
ASA5520(config-if)# security-level 0
ASA5520(config-if)# ip address
ASA5520(config-if)# no shut

Step3: Configure the trusted internal interface

ASA5520(config)# interface Ethernet0/1
ASA5520(config-if)# nameif inside
ASA5520(config-if)# security-level 100
ASA5520(config-if)# ip address
ASA5520(config-if)# no shut

Step 4: Configure PAT on the outside interface

ASA5520(config)# global (outside) 1 interface
ASA5520(config)# nat (inside) 1

Configure the firewall to assign internal IP and DNS address to hosts using DHCP

ASA5520(config)# dhcpd dns
ASA5520(config)# dhcpd address inside
ASA5520(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational.

There are many more configuration features that you need to implement to increase the security of your network.

For Configuring DNS and NAT refer the following:

In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client. While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.

May be you need to Perform DNS Doctoring with the static Command .

Find the reference link here:

Without looking at your config can not tell you specifically what command is missing in your config.

If you could send you config to me on my email [email protected] or [email protected] , I will be able to tell what command is missing so as to get to Internet access. You can change your confidential IP by some example IP addesses or putting 200.200.x.y so as to maintain your security.

Kind regards,



This Discussion