I had a ASA5510 as my gateway, Its inside interface ip address is 10.201.4.254. And in asa5510,I set name server which provided by my ISP.
All my internal computer use firewall's internal interface as gateway.
But if I use 10.201.4.254 as my dns,I can not resolve any website, I can ping the name server address. If I use the address as name server in ASA5510,I can resolve and access any website.
How to relay my internal computer's dns request? Or how to set dns in ASA5510?
User Access Verification
Password: Type help or '?' for a list of available commands. newasa> en Password: ******** newasa# show run : Saved : ASA Version 8.2(2) ! hostname newasa domain-name ×.com.cn enable password VRIzSJfqn.dBz8oC encrypted passwd ylb0fjK3sGYJGNdJ encrypted names name ×.×.×.18 Out_IP_18 name ×.×.×.22 Out_IP_22 name ×.×.×.19 Outside_interface_19 name ×.×.×.20 Out_IP_20 name 192.168.50.0 new_dhcppool dns-guard ! interface Ethernet0/0 nameif inside security-level 100 ip address 10.201.4.254 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address ×.×.×.21 255.255.255.248 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.5.1 255.255.255.0 management-only ! boot system disk0:/asa822-k8.bin ftp mode passive clock timezone CST 8 dns domain-lookup inside dns domain-lookup outside dns domain-lookup management dns server-group DefaultDNS name-server 126.96.36.199 name-server 188.8.131.52 domain-name ×.com.cn object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data port-object eq ssh port-object eq telnet port-object eq 3389 object-group service group_tcp_60151-8 tcp port-object range 60151 60158 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object icmp protocol-object icmp6 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp6 service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_3 tcp group-object group_tcp_60151-8 port-object eq www access-list outside_access_in extended permit tcp any host Out_IP_20 object-group DM_INLINE_TCP_3 access-list outside_access_in extended permit tcp any host Out_IP_18 object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any host Out_IP_22 object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any ×.×.×.16 255.255.255.248
access-list inside_nat0_outbound extended permit ip new_dhcppool 255.255.255.0 any
pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu management 1500 ip local pool newssl_inside 192.168.50.50-192.168.50.60 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-625-53.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface
Where is the host from where you are sending the request located with respoect to ASA interfaces? Suppose your host sits behidn inside interface of ASA and the dns server is also behind the inside interface, the DNS request will be blocked by the ASA because its the default behaviour to to not let the traffic go back to the interface which has the same security level as the interface from where the traffic is comming from. i'd say put that command in and go ahead anmd test
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...