03-03-2011 05:41 PM - edited 03-11-2019 01:00 PM
Hi all,
I would like to enable dns on my cisco asa firewall on asa versions 5.x/6.x So that i can do ping test to public hostname eg ping www.yahoo.com
I have enabled dns lookup on inside interface and added a dns server which is connected to the inside network where the asa inside interface is connected. However when i do a "ping www.yahoo.com" from asdm i got "error %invalid input". Pls advise Thks in advance.
03-03-2011 05:59 PM
Hello Don ,
DNS configured on ASA can not be utilized for resolution of yahoo.com or any url on ASA CLI. If you wish ping www.yahoo.com from ASA, you can use the name command to map url to public IP.
I am sure that is not the requirement and you wish to do this as a connectivity test. I suggest to ping public DNS servers like 4.2.2.2 or 8.8.8.8.
Hope this helps. Please reply back if you need any further assistance.
Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
03-03-2011 06:06 PM
Here is a document that could help you understand DNS doctoring:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
03-03-2011 06:19 PM
Hello Paul,
I guess Don i slooking for DNS resoultion on ASA CLI & ASDM. He wishes to resolve url in pings from ASA CLI/ASDM.
Regards,
Chirag
03-03-2011 06:44 PM
Hi Don,
I do think that it is possible to configure the ASA to resolve FQDN to ip address , can't find any documentation but you can use following commands :-
The following example thinks that you are using 4.2.2.2 as DNS server :-
asa(config)#dns domain-lookup outside
asa(config)#dns name-server 4.2.2.2
you see a bunch of options like dns retries etc that you can use.
Manish
03-03-2011 08:18 PM
Hello Manish,
Yes, even i think that is not possible. The example which you stated shall set 4.2.2.2 as the DNS server and all DNS resolution will be externally using this as the server.
Regards,
Chirag
03-03-2011 09:48 PM
Hi Chirag,
The test i need to do is to resolve the ip address of the url link. Once in a while i need to allow my specific site users to have access to certain url and this url may have a different ip address depending on the geographical location that you resolve. Hence i would like to remote into the firewall, resolve from there and add the access rule accordingly. But since the firewall can't resolve names i need to remote into the one of the PCs/server sitting behind the firewall to do resolution to chk the public ip address for the specific url for that geographical location.
Hi Manish,
I already tried that before posting this question but it fail to work.
I did a dns domain-lookup inside and a dns name-server 192.168.22.1 which is my inside dns server but fail to work
03-03-2011 10:06 PM
Hello Don,
Oh, ok. In that case, this not possible on ASA. You can consider doing a nslookup from a PC in that location for that url and add rules for that particular IP.
Please mark the post answered for future use of others.
Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
03-04-2011 09:57 AM
Hi Don,
I did the same config and was able to resolve domain name , there might be rules configured on your inside interface that is stopping for dns server to reply back to the firewall. here's what I did & I have inside interface access to any any :-
av-fw01(config)# dns domain-lookup inside
av-fw01(config)# dns name-server 10.9.106.11
av-fw01(config)# ping yahoo.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.137.149.56, timeout is 2 seconds:
!!!!!
av-fw01(config)# ping av-netdev01
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.9.106.100, timeout is 2 seconds:
!!!!!
you should try setting up captures & try some packet-tracer commands and see why the replies are not reaching your firewall.
Manish
03-04-2011 06:00 PM
Thanks Manish, this worked!
Cheers,
Chirag
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide