Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
2
Replies

ASA 5520 DNS Issue for Guest Network

sanjeevmahadani
Level 1
Level 1

‎10-14-2014 12:22 AM - edited ‎03-11-2019 09:55 PM

Hi All,

I have configured ASA 5520 for 3 Networks & one ISP.

1>   Official proxy 172.16.1.0/24

2>   Guest ( SSID) on controller  network Office Area 10.156.250.0/24

3>   GueSt ( SSID) on controller Network Accomodation Area.10.156.249.0/24

From accomodation area gueSt (10.156.249.0) configured on switch through route map and hitting to internal1 Interface on firewall, i am able to access and browse the internet but not from guest office area, although able to ping all external IP's for google/yahoo but not domain name so unable to browse.

Pls. help to resolve. Config is below.

interface GigabitEthernet0/0
 description Connected to Office LAN network
 nameif internal0
 security-level 100
 ip address 172.16.1.1 255.255.255.252
!
interface GigabitEthernet0/1
 description Connected to GUEST network
 nameif internal1
 security-level 1
 ip address 10.156.250.1 255.255.255.0
!
interface GigabitEthernet0/3
 description ISP facing interface
 nameif external0
 security-level 0
 ip address 10.10.155.2 255.255.255.248
!
 

route external0 0.0.0.0 0.0.0.0 10.10.155.1 1

route internal1 10.156.249.0 255.255.255.0 10.156.250.5 1

 

object network obj_to_off
 subnet 172.16.1.0 255.255.255.252
object network obj_to_off
 nat (internal0,external0) dynamic interface

object network obj-2-gueSt
 subnet 10.156.249.0 255.255.255.0
object network obj-2-gueSt
 nat (internal1,external0) dynamic interface

object network obj-2-guest
 subnet 10.156.250.0 255.255.255.0
object network obj-2-guest
 nat (internal1,external0) dynamic interface

 

 

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎10-14-2014 12:54 AM

Hi,

 

So the users connected to the subnet that is directly connected to the "internal1" interface can not do DNS lookups for some reason but their external connectivity is otherwise fine?

 

Have you confirmed that their network settings are correct so that the traffic is forwarded to the ASA? Are the DNS servers configured correct? Where are the DNS servers located at? Have you monitored logs through ASDM while attempting connections from the problematic Guest Office network?

 

- Jouni

0 Helpful

sanjeevmahadani
Level 1
Level 1
In response to Jouni Forss

‎10-14-2014 04:48 AM

 

Yes guest user x.x.25.0 directly connected to internal1 and gueSt x.x.249.0 user connected through internal1 from core switch through router map.

Core SW Config......

access-list 49 permit 10.156.249.0 0.0.0.255

route-map 49 permit 20
 match ip address 49
 set ip next-hop 10.156.250.1

 

Ans it was working fine from last two years, Y day sudden happened that x.x.249.0 users able to access internet but x.x.250.0 user not.

I am connecting my laptop to guest able to ping all external site IP like 4.2.2.2 as well but not able to access not opening any page, and whenever connecting to GueSt SSID browing well.

 

Reg

Sanjeev

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card