Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS issue on cisco ASA

Good day all,

      I have two two DNS addresses of 10.50.10.21 amd 10.50.10.22.

     Domain name IT.corp

      My firewall ASA is issuing out the DHCP address to the client computers

      I have a network shared on IT-SVR4\finance.

       10.50.10.21 is for IT-SVR1

       10.50.10.22 is for IT-SVR2

       10.50.10.23 is for IT-SVR3

       10.50.10.24 is for IT-SVR4

      At this stage, my cisco ASA has not configured according to the above DNS settings. I will use a laptop to do a pre-test first.

     At first i configure my laptop to a static ip address and inside the "Local area connection" > "Internet Protocal version 4 (TCP/IPv4) of my laptop, i choose the option "Use the following DNS server addresses". I input 10.50.10.21 for the "preferred DNS server" and 10.50.10.22 for the "Alternate DNS server". After this,  i click on the "Advanced..." button. Select the DNS tab and input my domain name IT.corp inside the "DNS suffix for this connection". When i open a file browser and input IT-SVR4\finance, i am able to open the content inside the finance.

     After this, i configure my cisco ASA to the information given above. I also configure my laptop to "obtain IP address automatically" and "Obtain DNS server address automatically". When this have done, i use my laptop and input IT-SVR4\finance. This time, i could not open the content inside the finance. But when i input 10.50.10.24/finance, i could open the content inside the finance. Below is my cisco ASA configuration file.

ASA Version 8.2(5)
!
hostname ciscoasa
domain-name arsari.corp
enable password 60vz.3.zl8EUG8bL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 RemoteSite
name 10.50.10.0 MegaPop_Remote1
name 172.13.16.1 MegapopRouter
name 50.61.33.33 RouterIP description Internet
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 50.61.33.90 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 10.50.12.1 255.255.254.0
!
interface Ethernet0/2             
nameif DMZ
security-level 50
ip address 172.13.16.2 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup LAN
dns server-group DefaultDNS
domain-name arsari.corp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp

             
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp traceroute
service-object icmp unreachable
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list LAN_access_in extended permit ip any interface DMZ
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list LAN_nat0_outbound extended permit ip any MegaPop_Remote1 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
no asdm history enable

             
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 RouterIP 1
route DMZ MegaPop_Remote1 255.255.254.0 MegapopRouter 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.4.0 255.255.255.0 LAN
http 192.168.10.0 255.255.255.0 management
http 10.50.12.0 255.255.254.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

             
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
   

  quit
telnet 10.50.12.0 255.255.254.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 150 ip 10.50.10.10
!
dhcpd address 10.50.13.1-10.50.13.250 LAN
dhcpd dns 10.50.10.21 10.50.10.22 interface LAN
dhcpd option 150 ip 10.50.10.10 interface LAN
dhcpd option 66 ip 10.50.10.10 interface LAN
dhcpd option 3 ip 10.50.12.1 interface LAN
dhcpd enable LAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

             
username admin password V1y2uSAZzdFa9VMg encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
<--- More --->
             
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:5ebf322c4b263bd755ac07c023ba7497
: end

     Is any there additional configuration i need to do in order that i could also use IT-SVR04\finance to open up the content inside the finance?

     Hope to hear from anyone of you soon.

Thank and Regards,

Raymond

1 REPLY
VIP Purple

Re: DNS issue on cisco ASA

I don't see any problem in your config for this issue. Can you connect if you use "IT-SVR4.IT.corp\finance"? And configure your DHCP to also issue a domain name:

asa{config)# dhcpd domain IT.corp interface LAN

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
161
Views
0
Helpful
1
Replies
CreatePlease login to create content