Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

dmz dns query on asa 5540

Hi Expert.

How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?

What is the configuration required on ASA 5540 ?

Thanks

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

dmz dns query on asa 5540

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

Mike
13 REPLIES
Cisco Employee

dmz dns query on asa 5540

Samir,

So if the hosts automatically wants to know the name for a server on the outside, you dont want that? You only want the ASA to permit the DNS query if it is beng executed through nslookup?

Mike

Mike

dmz dns query on asa 5540

Mike,

Thanks for your reply.

"You only want the ASA to permit the DNS query if it is beng executed through nslookup?" YES EXACTLY

dmz dns query on asa 5540

This question is not answered. By mistak I click on Correct Answer

Cisco Employee

dmz dns query on asa 5540

Samir,

I just did a quick packet capture to see if there was any remarcable difference between the query done autmatically by the computer or the one executed via nslookup and they are the same. Nothing changes. Since there is no verifiable way to differentiate one another, you may need to find a solution that can be implemented on the host itself.

Mike

Mike

dmz dns query on asa 5540

Mike,

I want to know.

How I can allow http request from dmz zone server to specifie outside webserver ( for eg 1.1.1.1)

Can you advice.

New Member

dmz dns query on asa 5540

Have you check the following doc:

https://supportforums.cisco.com/docs/DOC-17014

HTH

dmz dns query on asa 5540

Unfortunetly, this is not the thing I'm looking for.

Cisco Employee

dmz dns query on asa 5540

Hi Samir,

By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.

If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.

Access-list DMZ permit tcp host host eq 80

Access-list DMZ deny ip any any

access-group DMZ in interface DMZ

Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)

WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.

Mike

Mike

dmz dns query on asa 5540

Do you I NAT ?

Cisco Employee

dmz dns query on asa 5540

Didnt quite get the last message, can you explain please?

Mike

Mike

dmz dns query on asa 5540

Ok the last thing I want to ask

I have confgiured the public dns ip on my server interface ( eg 2.2.2.2) I want to make nslookup to google.com but ti gives me error request time-out but I create this rule on ASA for eg:

nat (DMZ-1) 10 172.16.1.202 255.255.255.255  tcp 0 0 udp 0

it works fine. I know this not secure to allow everything How can i successfully perform nslookup withou giving all access

I hope it's clear.

Thanks

Samir

Cisco Employee

dmz dns query on asa 5540

Just permit udp 53 for that host to go out on your ACL while denying the rest of the traffic.

Mike

Mike

dmz dns query on asa 5540

please can you provide me the command line..

1753
Views
0
Helpful
13
Replies