How to configure DNS on ASA firewall ?

Unanswered Question
Sep 7th, 2010

Hello All,

I am new to cisco ASA firewall. As shown on cisco website i have done my basic configuration on ASA. But still i am not able to connect to internet. I think i have some problem in DNS server. Can anyone tell me how to configure DNS on ASA ??

Thanks...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.7 (3 ratings)
Jennifer Halim Tue, 09/07/2010 - 04:37

How is the user getting the IP Address? Is it through DHCP, and which device is the DHCP server? DNS settings are normally configured via the DHCP configuration. If you do not have internal DNS server, you would need to assign DNS servers that have been assigned by your ISP on the DHCP configuration, and/or manually configure the DNS settings.

Are you able to access the internet via IP Address?

vinayak@sakri Tue, 09/07/2010 - 04:43

hey,

Lan users are configured manually with ip address. i didnt use DHCP for that. I also use command

dns lookup inside

dns name-server  (dns server provided by ISP)

but still i am not able to connect to internet.

I am having cisco router at front end. firewall outside address is routers inside address.

when i connect through router bypassing firewall i am able to connect to internet..

Whats the possibal problem ?

Nagaraja Thanthry Tue, 09/07/2010 - 04:40

Hello,

Can you please check the following on your configuration?

1. You have configured a default route pointing to your ISP router IP

route outside 0.0.0.0 0.0.0.0 "ISP gw"

2. You have configured dynamic NAT rules for inside hosts

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

3. You do not have any access-list entries applied to inside interface that

is blocking traffic from inside to internet

4. You do not have any NAT rule that bypasses the NAT rules in the second

step.

After verifying the above steps, if things are still not working, can you

please post your configuration here?

Regards,

NT

vinayak@sakri Tue, 09/07/2010 - 04:45

dear Nagaraja,

Yes i done all these basic configurations..

2 days ago all thing are working fine. But today morning no one from LAN not able to connect to internet..

Whats the possibal problem ??

Nagaraja Thanthry Tue, 09/07/2010 - 04:56

Hello,

What is the DNS server IP you are using? Try using 4.2.2.2 on your PC and

see if you are able to connect to internet. Also, try pinging your default

gateway (Router IP) from the PC to make sure that the traffic is going out

of the firewall and is returning fine.

Regards,

NT

vinayak@sakri Tue, 09/07/2010 - 05:04

Dear sachin,

thanks for ur reply.

i already done all these basic configs.. But still problem is same. I also able to ping my routers IP from LAN..

Is this a right commands :

dns domain-lookup

dns name-server (dns ip rovided by ISP)

are these commands sufficient for DNS ??

Nagaraja Thanthry Tue, 09/07/2010 - 05:08

Hello Vinayak,

On your PC, what is the DNS setting? Are you pointing to the ASA or are you

pointing to the ISP DNS server? Can you do a NSLOOKUP for a domain and see

if you get a response?

Regards,

NT

vinayak@sakri Tue, 09/07/2010 - 05:11

Dear Nagaraja.

I using ISP DNS servers on my PC.  everythink working fine till yesterday, but this problem arises today morning.

When i do nslookup it shows DNS REQUEST TIME OUT...

Nagaraja Thanthry Tue, 09/07/2010 - 05:14

Hello,

Try 4.2.2.2 as DNS server and see if that works. It could be that the ISP

DNS server may be having issues.

Regards,

NT

sachinga.hcl Tue, 09/07/2010 - 04:52

Hi Vinayak,

ASA can not act as a DNS server or proxy DNS or dns caching only server.

Have you configured the Default Route towards the ISP (assume default gateway is 100.100.100.200)

ASA5520(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.200 1

Here are the basic config I suppose you have done already on your ASA firewall:

Step1: Configure a privileged level password (enable password)

By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5520(config)# enable password mysecretpassword

Step2: Configure the public outside interface

ASA5520(config)# interface Ethernet0/0
ASA5520(config-if)# nameif outside
ASA5520(config-if)# security-level 0
ASA5520(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5520(config-if)# no shut

Step3: Configure the trusted internal interface

ASA5520(config)# interface Ethernet0/1
ASA5520(config-if)# nameif inside
ASA5520(config-if)# security-level 100
ASA5520(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5520(config-if)# no shut

Step 4: Configure PAT on the outside interface

ASA5520(config)# global (outside) 1 interface
ASA5520(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Configure the firewall to assign internal IP and DNS address to hosts using DHCP

ASA5520(config)# dhcpd dns 200.200.200.10
ASA5520(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5520(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational.


There are many more configuration features that you need to implement to increase the security of your network.

For Configuring DNS and NAT refer the following:

http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079324


In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client. While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.

May be you need to Perform DNS Doctoring with the static Command .

Find the reference link here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#problem


Without looking at your config can not tell you specifically what command is missing in your config.

If you could send you config to me on my email sachinga@hcl.in or sachin.koenig@gmail.com , I will be able to tell what command is missing so as to get to Internet access. You can change your confidential IP by some example IP addesses or putting 200.200.x.y so as to maintain your security.


Kind regards,

Sachin

Actions

Login or Register to take actions

This Discussion

Posted September 7, 2010 at 3:35 AM
Stats:
Replies:11 Avg. Rating:4.66667
Views:13559 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446