DNS with New ASA

Unanswered Question
Aug 22nd, 2006
User Badges:

I have a new ASA 5520 installed, with much thanks to this group, and its working perfectly.

I did notice one caveat that isnt quite right, and cant figure out however.

When we had a linksys as the firewall, it did NAT and DHCP for the clients and in that DHCP pool we had DNS servers specified. Same is true with the ASA, however with the ASA, clients from within the LAN can not resolve our own domain. We can get to every other domain in the world except our own! We need to refer to our servers as 10.0.0.x/xxx instead of domain.com etc.

Any suggestions? We do not host our own DNS, our ISP does this for us, however we could. When we did we had other problems with PAT.

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mmorris11 Tue, 08/22/2006 - 08:10
User Badges:
  • Silver, 250 points or more

If you are using Microsoft AD DNS servers for your clients, then what I have done before is to create a primary zone for your internet domain and resolve to your RFC1918 addresses as needed. Only your lan hosts will use this so it doesn't affect anything else. There are other tricks if your servers are on a DMZ interface but you didn't mention that.

HTH pls rate!

mx Tue, 08/22/2006 - 08:39
User Badges:

Thanks for the info. Youre right, I failed to mention a few things, we really have no MS on our network and certainly no AD. Strictly a SUN solaris infrastructure with a couple of XP laptops, thats about it. No DMZ either, strictly internal network.


mmorris11 Tue, 08/22/2006 - 09:19
User Badges:
  • Silver, 250 points or more

Well the MS/AD was just a common scenario where lan hosts use an "internal" dns server that fetches internet dns resolution on their behalf. Is yours such a scenario or do all lan hosts resolve directly from internet DNS servers?

mx Tue, 08/22/2006 - 09:35
User Badges:

In our scenario all lan hosts resolve from the internet DNS servers, as provided by our ISP.

The part that Im still scratching my head about is that the $40 linksys did it just fine :)

mmorris11 Tue, 08/22/2006 - 09:55
User Badges:
  • Silver, 250 points or more

If your servers are behind the firewall and your linksys was letting you access them via an address that resides on the outside of the firewall then your convenience amounted to a security hole that is no longer. The only solution to your dilemma is to use an internal DNS server that will perform the lookups for your internet hosts authoritativley for only your lan hosts and forward all other request as I described before. Resolving directly from internet servers has many limitations besides your current situation.


mx Tue, 08/22/2006 - 10:03
User Badges:

Ahhh ok that makes sense. THank you.

I was hosting my own at one point but things broke when I used different ports.

I had our domain being resolved OK, but when I went to resolve it at a different port, things broke.

For example going to www.domain.com all was well, but going to www.domain.com:81 or anything other than 80 things broke.

I should take that up on another topic possibly, thank you much for your help.


This Discussion