Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dns Resolution to external dns server from dmz

Hi,

I am struggling with dns resolution from a machine located in the dmz. The Inside machines are ok but I want  only 1 machine in the Dmz to be able to access the Internet. I have configured the following and I can use the IP address in the browser and pull up a page ok, but not using nslookup on the PC or via the browser. The PC has an external dns server configured 195.14.130.170. I configured the following but just cant get dns queries to work. One extra complication is that there is a vpn configured and this same host is accessed via the vpn (this bit works ok). Have I configured this ok to allow the vpn to configure working and allow this host internet access?

nat (dmz) 1 access-list dmz_nat_outbound

object-group service webservices tcp-udp
port-object eq www
port-object eq 443
port-object eq domain

access-list dmz_nat_outbound extended permit tcp 192.168.20.10 any object-group webservices

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Dns Resolution to external dns server from dmz

Can you run a packet tracer

packet-tracer input inside udp 192.168.20.10 53 195.14.130.170 53 detailed

Also you could try this:

add another line to the access-list

access-list dmz_nat_outbound extended permit udp 192.168.20.10 any domain

2 REPLIES
Silver

Re: Dns Resolution to external dns server from dmz

Can you run a packet tracer

packet-tracer input inside udp 192.168.20.10 53 195.14.130.170 53 detailed

Also you could try this:

add another line to the access-list

access-list dmz_nat_outbound extended permit udp 192.168.20.10 any domain

New Member

Re: Dns Resolution to external dns server from dmz

Hi Rahgovin,

Thanks for responding, I noticed that I had specified TCP in the access list even though I had added domain to the port object group.

Thanks for your Help.

914
Views
0
Helpful
2
Replies