Could you let me know more about your topology and configuration?
Where is the DNS server and the server (URL which you are trying to resolve) located w.r.t the ASA?
For DNS rewrite to work properly, you must have your DNS server located across the firewall i,e., the DNS request from a machine should cross the firewall and go to another interface and then come back via the same path. This means that DNS inspection won't work if you have both the resolving client and the DNS server in the same network segment. Of course, this is in addition to DNS inspection being configured on the firewall.
As an example, let's consider the following example -
Client tries to resolve a URL for a server on the inside network of the ASA.
The DNS query then goes through the ASA and reached the DNS server. The public DNS server on the internet responds with the public IP address of the internal server (this server is local for the client).
The DNS response packet has the public IP address of the server in its payload. The ASA intercepts this response packet to rewrite the IP in the response packet to the private IP address of the server.
The question is how the ASA understands what the private IP address of the server is?
Well, this it understands based on the static NAT configured for the internal server. Hence, it is also required that the NAT be enabled with DNS keyword for rewrite to work.
Please check if your scenario satisfies all these requirements.
Imagine you are the firewall and you see a dns reply from public dns server, you open the dns packet and you find one public IP that you must rewrite. You will look to the static NAT statements and you find that this public IP is natted to different private IP depends on TCP ports. So you can' t know which one is the good one. So you will not translate
However if the nat does not depends on the TCP port so dns rewrite is done J
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...