Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

DNS not working whenever crypto map is applied to interface

Hi guys,

 

I don't understand why the ASA is not able to resolve names whenever I apply following command:

crypto map [map_name] interface outside

Without above command the ASA will be able to resolve names immediately without issue.

 

Without command above, I can see packets leaving on outside interface when I ping google.com. But once above command is applied, I don't see the packet leaving any interfaces. I know this because I have configured packet capture on outside/inside/mgmt interfaces and also by using logging/monitoring feature on ASDM.

 

Can someone help or explain why the ASA behaves like this? Any thoughts/enlighten are appreciated.

 

Best regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

RudyDo you mean when you

Rudy

Do you mean when you apply the crypto map MAP to the outside interface ?

If so your crypto acl is -

access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET

note the second line which says send any udp packets from any source IP down the VPN tunnel.

DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.

You need to modify the above acl.

Jon

2 REPLIES
Hall of Fame Super Blue

RudyDo you mean when you

Rudy

Do you mean when you apply the crypto map MAP to the outside interface ?

If so your crypto acl is -

access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET

note the second line which says send any udp packets from any source IP down the VPN tunnel.

DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.

You need to modify the above acl.

Jon

Hi Jon, that does it! What

Hi Jon, that does it! What you say totally makes sense and not sure why I haven't realized it sooner despite I have been checking the ACL hundred of times.

 

Thanks a lot for your help, I appreciate it!

16
Views
5
Helpful
2
Replies
CreatePlease to create content