cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13975
Views
5
Helpful
9
Replies

Enable dns on cisco asa firewall

donnie
Level 1
Level 1

Hi all,

I would like to enable dns on my cisco asa firewall on asa versions 5.x/6.x So that i can do ping test to public hostname eg ping www.yahoo.com

I have enabled dns lookup on inside interface and added a dns server which is connected to the inside network where the asa inside interface is connected. However when i do a "ping www.yahoo.com" from asdm i got "error %invalid input". Pls advise Thks in advance.

9 Replies 9

csaxena
Cisco Employee
Cisco Employee

Hello Don ,

DNS configured on ASA can not be utilized for resolution of yahoo.com or any url on ASA CLI. If you wish ping www.yahoo.com from ASA, you can use the name command to map url to public IP.

I am sure that is not the requirement and you wish to do this as a connectivity test. I suggest to ping public DNS servers like 4.2.2.2 or 8.8.8.8.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.


Hello Paul,

I guess Don i slooking for DNS resoultion on ASA CLI & ASDM. He wishes to resolve url in pings from ASA CLI/ASDM.

Regards,
Chirag

Hi Don,

I do think that it is possible to configure the ASA to resolve FQDN to ip address , can't find any documentation but you can use following commands :-

The following example thinks that you are using 4.2.2.2 as DNS server :-

asa(config)#dns domain-lookup outside

asa(config)#dns name-server 4.2.2.2

you see a bunch of options like dns retries etc that you can use.

Manish

Hello Manish,

Yes,  even i think that is not possible. The example which you stated shall set 4.2.2.2 as the DNS server and all DNS resolution will be externally using this as the server.

Regards,

Chirag

donnie
Level 1
Level 1

Hi Chirag,

The test i need to do is to resolve the ip address of the url link. Once in a while i need to allow my specific site users to have access to certain url and this url may have a different ip address depending on the geographical location that you resolve. Hence i would like to remote into the firewall, resolve from there and add the access rule accordingly. But since the firewall can't resolve names i need to remote into the one of the PCs/server sitting behind the firewall to do resolution to chk the public ip address for the specific url for that geographical location.

Hi Manish,

I already tried that before posting this question but it fail to work.

I did a dns domain-lookup inside and a dns name-server 192.168.22.1 which is my inside dns server but fail to work

Hello Don,

Oh, ok. In that case, this not possible on ASA. You can consider doing a nslookup from a PC in that location for that url and add rules for that particular IP.

Please mark the post answered for future use of others.

Regards,
Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.


Hi Don,

I did the same config and was able to resolve domain name , there might be rules configured on your inside interface that is stopping for dns server to reply back to the firewall. here's what I did & I have inside interface access to any any :-

av-fw01(config)# dns domain-lookup inside

av-fw01(config)# dns name-server 10.9.106.11

av-fw01(config)# ping yahoo.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.137.149.56, timeout is 2 seconds:
!!!!!

av-fw01(config)# ping av-netdev01
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.9.106.100, timeout is 2 seconds:
!!!!!

you should try setting up captures & try some packet-tracer commands and see why the replies are not reaching your firewall.

Manish

Thanks Manish, this worked!

Cheers,
Chirag

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: