09-07-2010 03:35 AM - edited 03-11-2019 11:36 AM
Hello All,
I am new to cisco ASA firewall. As shown on cisco website i have done my basic configuration on ASA. But still i am not able to connect to internet. I think i have some problem in DNS server. Can anyone tell me how to configure DNS on ASA ??
Thanks...
09-07-2010 04:37 AM
How is the user getting the IP Address? Is it through DHCP, and which device is the DHCP server? DNS settings are normally configured via the DHCP configuration. If you do not have internal DNS server, you would need to assign DNS servers that have been assigned by your ISP on the DHCP configuration, and/or manually configure the DNS settings.
Are you able to access the internet via IP Address?
09-07-2010 04:43 AM
hey,
Lan users are configured manually with ip address. i didnt use DHCP for that. I also use command
dns lookup inside
dns name-server (dns server provided by ISP)
but still i am not able to connect to internet.
I am having cisco router at front end. firewall outside address is routers inside address.
when i connect through router bypassing firewall i am able to connect to internet..
Whats the possibal problem ?
09-07-2010 04:40 AM
Hello,
Can you please check the following on your configuration?
1. You have configured a default route pointing to your ISP router IP
route outside 0.0.0.0 0.0.0.0 "ISP gw"
2. You have configured dynamic NAT rules for inside hosts
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
3. You do not have any access-list entries applied to inside interface that
is blocking traffic from inside to internet
4. You do not have any NAT rule that bypasses the NAT rules in the second
step.
After verifying the above steps, if things are still not working, can you
please post your configuration here?
Regards,
NT
09-07-2010 04:45 AM
dear Nagaraja,
Yes i done all these basic configurations..
2 days ago all thing are working fine. But today morning no one from LAN not able to connect to internet..
Whats the possibal problem ??
09-07-2010 04:56 AM
Hello,
What is the DNS server IP you are using? Try using 4.2.2.2 on your PC and
see if you are able to connect to internet. Also, try pinging your default
gateway (Router IP) from the PC to make sure that the traffic is going out
of the firewall and is returning fine.
Regards,
NT
09-07-2010 05:04 AM
Dear sachin,
thanks for ur reply.
i already done all these basic configs.. But still problem is same. I also able to ping my routers IP from LAN..
Is this a right commands :
dns domain-lookup
dns name-server (dns ip rovided by ISP)
are these commands sufficient for DNS ??
09-07-2010 05:08 AM
Hello Vinayak,
On your PC, what is the DNS setting? Are you pointing to the ASA or are you
pointing to the ISP DNS server? Can you do a NSLOOKUP for a domain and see
if you get a response?
Regards,
NT
09-07-2010 05:11 AM
Dear Nagaraja.
I using ISP DNS servers on my PC. everythink working fine till yesterday, but this problem arises today morning.
When i do nslookup it shows DNS REQUEST TIME OUT...
09-07-2010 05:14 AM
Hello,
Try 4.2.2.2 as DNS server and see if that works. It could be that the ISP
DNS server may be having issues.
Regards,
NT
09-07-2010 05:16 AM
ok , i will try it..
thanks a lot for help...
09-07-2010 04:52 AM
Hi Vinayak,
ASA can not act as a DNS server or proxy DNS or dns caching only server.
Have you configured the Default Route towards the ISP (assume default gateway is 100.100.100.200)
ASA5520(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.200 1
Here are the basic config I suppose you have done already on your ASA firewall:
Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5520(config)# enable password mysecretpassword
Step2: Configure the public outside interface
ASA5520(config)# interface Ethernet0/0
ASA5520(config-if)# nameif outside
ASA5520(config-if)# security-level 0
ASA5520(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5520(config-if)# no shut
Step3: Configure the trusted internal interface
ASA5520(config)# interface Ethernet0/1
ASA5520(config-if)# nameif inside
ASA5520(config-if)# security-level 100
ASA5520(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5520(config-if)# no shut
Step 4: Configure PAT on the outside interface
ASA5520(config)# global (outside) 1 interface
ASA5520(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5520(config)# dhcpd dns 200.200.200.10
ASA5520(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5520(config)# dhcpd enable inside
The above basic configuration is just the beginning for making the appliance operational.
There are many more configuration features that you need to implement to increase the security of your network.
For Configuring DNS and NAT refer the following:
http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079324
In a typical DNS exchange a client sends a URL or hostname to a DNS server in order to determine the IP address of that host. The DNS server receives the request, looks up the name-to-IP-address mapping for that host, and then provides the A-record with the IP address to the client. While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on another public network.
May be you need to Perform DNS Doctoring with the static Command .
Find the reference link here:
Without looking at your config can not tell you specifically what command is missing in your config.
If you could send you config to me on my email sachinga@hcl.in or sachin.koenig@gmail.com , I will be able to tell what command is missing so as to get to Internet access. You can change your confidential IP by some example IP addesses or putting 200.200.x.y so as to maintain your security.
Kind regards,
Sachin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: