cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2523
Views
0
Helpful
13
Replies

dmz dns query on asa 5540

samirshaikh52
Level 2
Level 2

Hi Expert.

How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?

What is the configuration required on ASA 5540 ?

Thanks

1 Accepted Solution

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

Mike

View solution in original post

13 Replies 13

Maykol Rojas
Cisco Employee
Cisco Employee

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

Mike

Mike,

Thanks for your reply.

"You only want the ASA to permit the DNS query if it is beng executed through nslookup?" YES EXACTLY

This question is not answered. By mistak I click on Correct Answer

Samir,

I just did a quick packet capture to see if there was any remarcable difference between the query done autmatically by the computer or the one executed via nslookup and they are the same. Nothing changes. Since there is no verifiable way to differentiate one another, you may need to find a solution that can be implemented on the host itself.

Mike

Mike

Mike,

I want to know.

How I can allow http request from dmz zone server to specifie outside webserver ( for eg 1.1.1.1)

Can you advice.

Have you check the following doc:

https://supportforums.cisco.com/docs/DOC-17014

HTH

Unfortunetly, this is not the thing I'm looking for.

Hi Samir,

By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.

If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.

Access-list DMZ permit tcp host host eq 80

Access-list DMZ deny ip any any

access-group DMZ in interface DMZ

Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)

WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.

Mike

Mike

Do you I NAT ?

Didnt quite get the last message, can you explain please?

Mike

Mike

Ok the last thing I want to ask

I have confgiured the public dns ip on my server interface ( eg 2.2.2.2) I want to make nslookup to google.com but ti gives me error request time-out but I create this rule on ASA for eg:

nat (DMZ-1) 10 172.16.1.202 255.255.255.255  tcp 0 0 udp 0

it works fine. I know this not secure to allow everything How can i successfully perform nslookup withou giving all access

I hope it's clear.

Thanks

Samir

Just permit udp 53 for that host to go out on your ACL while denying the rest of the traffic.

Mike

Mike

please can you provide me the command line..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: