03-31-2015 08:52 AM
All,
I'm trying to determine what I am doing wrong. I have a remote site with an IPSEC tunnel handled by an ASA 5505 running latest code 9.2(3). When I try to enable DNS resolution on the remote ASA against DNS servers here at the main office, name resolution fails. I enabled DNS resolution on interface inside (which is usually the interface I enable when I want to route traffic through the tunnel).
When I enable debug on DNS, I get:
DNS: DNS is not Enabled on interface vPifNum=3 for nameserver ip=***.***.***.***
It would not have occurred to me that resolving DNS on the ASA over the tunnel would not be supported. Am I just configuring things incorrectly? I can enable DNS on interface outside, but then it routes the traffic over the Internet which is not want I want. I also tried enabling and disabling DNS inspection in the global policy.
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.***.***
name-server 192.168.***.***
domain-name ************.local
03-31-2015 03:34 PM
I',m not sure if I really understand your topology. But for DNS-lookup, the command "dns domain-lookup" has to be enabled on the interface(es) over that your DNS-servers are reachable. In your case it's the interface that routes to 192.168.***.***.
For the remote-ASA, these dns-queries would be send from the outside IP of the ASA. To reach your internal HQ-DNS, your crypto-ACL has to include the traffic from the public IP of the remote ASA to your HQ-network.
Or another solution would be to place a DNS resolver into the branch network and send the dns-queries to that system.
04-01-2015 06:09 AM
OK, thanks. I will experiment with adding the public IP into the tunnel and changing the NAT settings on another site that is closer and safer to mess with, and then I can replicate the solution to the problem site if it solves the issue. Why is it that other ASA services that are bound to the inside interface are able to route through the tunnel, but not DNS? Just curious.
03-31-2015 05:06 PM
Hi there,
Your main-office dns-server also part of the encryption domain between two ASAs?
04-01-2015 05:59 AM
Yes, and other services on these same two servers here at the main office are accessed through the tunnel by this ASA. For example, secure LDAP for admin console authentication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: