08-22-2006 07:57 AM - edited 02-21-2020 01:07 AM
I have a new ASA 5520 installed, with much thanks to this group, and its working perfectly.
I did notice one caveat that isnt quite right, and cant figure out however.
When we had a linksys as the firewall, it did NAT and DHCP for the clients and in that DHCP pool we had DNS servers specified. Same is true with the ASA, however with the ASA, clients from within the LAN can not resolve our own domain. We can get to every other domain in the world except our own! We need to refer to our servers as 10.0.0.x/xxx instead of domain.com etc.
Any suggestions? We do not host our own DNS, our ISP does this for us, however we could. When we did we had other problems with PAT.
Thanks in advance.
Bob
08-22-2006 08:10 AM
If you are using Microsoft AD DNS servers for your clients, then what I have done before is to create a primary zone for your internet domain and resolve to your RFC1918 addresses as needed. Only your lan hosts will use this so it doesn't affect anything else. There are other tricks if your servers are on a DMZ interface but you didn't mention that.
HTH pls rate!
08-22-2006 08:39 AM
Thanks for the info. Youre right, I failed to mention a few things, we really have no MS on our network and certainly no AD. Strictly a SUN solaris infrastructure with a couple of XP laptops, thats about it. No DMZ either, strictly internal network.
Bob
08-22-2006 09:19 AM
Well the MS/AD was just a common scenario where lan hosts use an "internal" dns server that fetches internet dns resolution on their behalf. Is yours such a scenario or do all lan hosts resolve directly from internet DNS servers?
08-22-2006 09:35 AM
In our scenario all lan hosts resolve from the internet DNS servers, as provided by our ISP.
The part that Im still scratching my head about is that the $40 linksys did it just fine :)
08-22-2006 09:55 AM
If your servers are behind the firewall and your linksys was letting you access them via an address that resides on the outside of the firewall then your convenience amounted to a security hole that is no longer. The only solution to your dilemma is to use an internal DNS server that will perform the lookups for your internet hosts authoritativley for only your lan hosts and forward all other request as I described before. Resolving directly from internet servers has many limitations besides your current situation.
HTH
08-22-2006 10:03 AM
Ahhh ok that makes sense. THank you.
I was hosting my own at one point but things broke when I used different ports.
I had our domain being resolved OK, but when I went to resolve it at a different port, things broke.
For example going to www.domain.com all was well, but going to www.domain.com:81 or anything other than 80 things broke.
I should take that up on another topic possibly, thank you much for your help.
08-23-2006 12:27 PM
Bob,
I hope you check this post again. Another NetPro posted this:
This is right up your alley and will solve your problem without all the headache I was suggesting.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide