Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
5
Helpful
2
Replies

DNS not working whenever crypto map is applied to interface

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎03-13-2014 05:31 AM - edited ‎03-11-2019 08:56 PM

Hi guys,

 

I don't understand why the ASA is not able to resolve names whenever I apply following command:

crypto map [map_name] interface outside

Without above command the ASA will be able to resolve names immediately without issue.

 

Without command above, I can see packets leaving on outside interface when I ping google.com. But once above command is applied, I don't see the packet leaving any interfaces. I know this because I have configured packet capture on outside/inside/mgmt interfaces and also by using logging/monitoring feature on ASDM.

 

Can someone help or explain why the ASA behaves like this? Any thoughts/enlighten are appreciated.

 

Best regards,

1 person had this problem
Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-13-2014 04:57 PM

Rudy

Do you mean when you apply the crypto map MAP to the outside interface ?

If so your crypto acl is -

access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET

note the second line which says send any udp packets from any source IP down the VPN tunnel.

DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.

You need to modify the above acl.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-13-2014 04:57 PM

Rudy

Do you mean when you apply the crypto map MAP to the outside interface ?

If so your crypto acl is -

access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET

note the second line which says send any udp packets from any source IP down the VPN tunnel.

DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.

You need to modify the above acl.

Jon

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Jon Marshall

‎03-14-2014 02:00 AM

Hi Jon, that does it! What you say totally makes sense and not sure why I haven't realized it sooner despite I have been checking the ACL hundred of times.

 

Thanks a lot for your help, I appreciate it!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card