Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS issue on cisco ASA

Good day all,

      I have two two DNS addresses of amd

     Domain name IT.corp

      My firewall ASA is issuing out the DHCP address to the client computers

      I have a network shared on IT-SVR4\finance. is for IT-SVR1 is for IT-SVR2 is for IT-SVR3 is for IT-SVR4

      At this stage, my cisco ASA has not configured according to the above DNS settings. I will use a laptop to do a pre-test first.

     At first i configure my laptop to a static ip address and inside the "Local area connection" > "Internet Protocal version 4 (TCP/IPv4) of my laptop, i choose the option "Use the following DNS server addresses". I input for the "preferred DNS server" and for the "Alternate DNS server". After this,  i click on the "Advanced..." button. Select the DNS tab and input my domain name IT.corp inside the "DNS suffix for this connection". When i open a file browser and input IT-SVR4\finance, i am able to open the content inside the finance.

     After this, i configure my cisco ASA to the information given above. I also configure my laptop to "obtain IP address automatically" and "Obtain DNS server address automatically". When this have done, i use my laptop and input IT-SVR4\finance. This time, i could not open the content inside the finance. But when i input, i could open the content inside the finance. Below is my cisco ASA configuration file.

ASA Version 8.2(5)
hostname ciscoasa
domain-name arsari.corp
enable password 60vz.3.zl8EUG8bL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name RemoteSite
name MegaPop_Remote1
name MegapopRouter
name RouterIP description Internet
interface Ethernet0/0
nameif WAN
security-level 0
ip address
interface Ethernet0/1
nameif LAN
security-level 100
ip address
interface Ethernet0/2             
nameif DMZ
security-level 50
ip address
interface Ethernet0/3
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address
ftp mode passive
dns domain-lookup LAN
dns server-group DefaultDNS
domain-name arsari.corp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp

service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp traceroute
service-object icmp unreachable
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list LAN_access_in extended permit ip any interface DMZ
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list LAN_nat0_outbound extended permit ip any MegaPop_Remote1
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
no asdm history enable

arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
route WAN RouterIP 1
route DMZ MegaPop_Remote1 MegapopRouter 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http LAN
http management
http LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

telnet LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 150 ip
dhcpd address LAN
dhcpd dns interface LAN
dhcpd option 150 ip interface LAN
dhcpd option 66 ip interface LAN
dhcpd option 3 ip interface LAN
dhcpd enable LAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

username admin password V1y2uSAZzdFa9VMg encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
<--- More --->
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
: end

     Is any there additional configuration i need to do in order that i could also use IT-SVR04\finance to open up the content inside the finance?

     Hope to hear from anyone of you soon.

Thank and Regards,


VIP Purple

Re: DNS issue on cisco ASA

I don't see any problem in your config for this issue. Can you connect if you use "IT-SVR4.IT.corp\finance"? And configure your DHCP to also issue a domain name:

asa{config)# dhcpd domain IT.corp interface LAN

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
CreatePlease login to create content