Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
0
Helpful
5
Replies

DNS Resolution in Cisco ASA 5525

Cityofrefuge7
Level 1
Level 1

‎01-21-2014 01:46 PM - edited ‎03-11-2019 08:33 PM

Hey all,

I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.

Current Version: Cisco ASA 5525

ASA Version: 8.6(1)

I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.

What I've done.

dns domain-lookup inside

dns domain-lookup outside

name-server x.x.x.x (Primary internal dns server)

name-server x.x.x.x (Secondary internal dns server)

name-server 8.8.8.8 (Google external dns server)

name-server 8.8.4.4 (Google external dns server)

domain-name example.com

With this config I can, however, ping hostnames of internal servers.

This is an example of me pinging an external hostname.

ciscoasa# ping google.ca

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:

No route to host 2607:f8b0:4009:803::101f

Success rate is 0 percent (0/1)

Any ideas?

Thanks!

Labels:
0 Helpful
5 Replies 5

johnlloyd_13
Level 9
Level 9

‎01-22-2014 12:20 AM

hi jonathan,

could you try adding using the default DNS group?

dns server-group DefaultDNS

name-server x.x.x.x

name-server 8.8.8.8

name-server 8.8.4.4

domain-name example.com

0 Helpful

Cityofrefuge7
Level 1
Level 1
In response to johnlloyd_13

‎01-22-2014 05:53 AM

Hi John,

Thanks for your quick reply.

I forgot to mention that I was adding the name servers and domain name to the DefaultDNS group already, though I did remove my secondary internal dns server to reflect exactly what you sent to me, unfortunately still no luck.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Cityofrefuge7

‎01-22-2014 06:43 AM

Hi,

Could you post 'ping www.google.com' and 'show route' output?


Sent from Cisco Technical Support iPhone App

0 Helpful

Cityofrefuge7
Level 1
Level 1
In response to johnlloyd_13

‎01-22-2014 12:29 PM

officeasa# ping www.google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:

No route to host 2607:f8b0:4009:802::1012

Success rate is 0 percent (0/1)

John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?

(I know without certain information you cannot help but I need to ensure security on my end)

Thanks for understanding.

0 Helpful

Cityofrefuge7
Level 1
Level 1
In response to Cityofrefuge7

‎01-24-2014 07:14 AM

Any other idea's guys?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card