Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
7
Replies

DNS with New ASA

mx
Level 1
Level 1

‎08-22-2006 07:57 AM - edited ‎02-21-2020 01:07 AM

I have a new ASA 5520 installed, with much thanks to this group, and its working perfectly.

I did notice one caveat that isnt quite right, and cant figure out however.

When we had a linksys as the firewall, it did NAT and DHCP for the clients and in that DHCP pool we had DNS servers specified. Same is true with the ASA, however with the ASA, clients from within the LAN can not resolve our own domain. We can get to every other domain in the world except our own! We need to refer to our servers as 10.0.0.x/xxx instead of domain.com etc.

Any suggestions? We do not host our own DNS, our ISP does this for us, however we could. When we did we had other problems with PAT.

Thanks in advance.

Bob

0 Helpful
7 Replies 7

mmorris11
Level 4
Level 4

‎08-22-2006 08:10 AM

If you are using Microsoft AD DNS servers for your clients, then what I have done before is to create a primary zone for your internet domain and resolve to your RFC1918 addresses as needed. Only your lan hosts will use this so it doesn't affect anything else. There are other tricks if your servers are on a DMZ interface but you didn't mention that.

HTH pls rate!

0 Helpful

mx
Level 1
Level 1
In response to mmorris11

‎08-22-2006 08:39 AM

Thanks for the info. Youre right, I failed to mention a few things, we really have no MS on our network and certainly no AD. Strictly a SUN solaris infrastructure with a couple of XP laptops, thats about it. No DMZ either, strictly internal network.

Bob

0 Helpful

mmorris11
Level 4
Level 4
In response to mx

‎08-22-2006 09:19 AM

Well the MS/AD was just a common scenario where lan hosts use an "internal" dns server that fetches internet dns resolution on their behalf. Is yours such a scenario or do all lan hosts resolve directly from internet DNS servers?

0 Helpful

mx
Level 1
Level 1
In response to mmorris11

‎08-22-2006 09:35 AM

In our scenario all lan hosts resolve from the internet DNS servers, as provided by our ISP.

The part that Im still scratching my head about is that the $40 linksys did it just fine :)

0 Helpful

mmorris11
Level 4
Level 4
In response to mx

‎08-22-2006 09:55 AM

If your servers are behind the firewall and your linksys was letting you access them via an address that resides on the outside of the firewall then your convenience amounted to a security hole that is no longer. The only solution to your dilemma is to use an internal DNS server that will perform the lookups for your internet hosts authoritativley for only your lan hosts and forward all other request as I described before. Resolving directly from internet servers has many limitations besides your current situation.

HTH

0 Helpful

mx
Level 1
Level 1
In response to mmorris11

‎08-22-2006 10:03 AM

Ahhh ok that makes sense. THank you.

I was hosting my own at one point but things broke when I used different ports.

I had our domain being resolved OK, but when I went to resolve it at a different port, things broke.

For example going to www.domain.com all was well, but going to www.domain.com:81 or anything other than 80 things broke.

I should take that up on another topic possibly, thank you much for your help.

0 Helpful

mmorris11
Level 4
Level 4
In response to mx

‎08-23-2006 12:27 PM

Bob,

I hope you check this post again. Another NetPro posted this:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html#wp1042753

This is right up your alley and will solve your problem without all the headache I was suggesting.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card