Solved: Re: DNS through DMZ not working

qbakies11 · ‎06-12-2008

I have a DMZ on my ASA 5510 that is working for everything except internal DNS. If I try to ping an internal IP of 192.168.200.10 it responds but if I try to ping that IP by name it won't resolve.

This is the DMZ related part of the config:

static (Inside,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0

static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.15 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.45 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.61 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.51 eq 54321

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.100.7 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.3 eq www

access-list dmz1 extended permit icmp any any echo

access-list dmz1 extended permit icmp any any echo-reply

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list dmz1 extended permit ip any any

I believe that I'm allowing DNS through the 'eq domain' statements above but the only way I have had to create a host file on the DMZ server to get it working. Any thoughts?

Farrukh Haroon · ‎06-12-2008

No please stop using the packet-tracer.

Now use that DMZ machine to do an actual nslookup

Regards.

Farrukh

View solution in original post

ROBERT DERY · ‎06-12-2008

Define which subnet you want to come in in the acl as right now all you have is 192.168.0.x 255.255.255.0 allowed for dns.

Hope it helps

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

qbakies11 · ‎06-12-2008

I do not understand what you are trying to say.

Doesn't my statement allow anything in the 192.168.0.0/24 subnet to pass DNS to 192.168.200.21?

ROBERT DERY · ‎06-12-2008

Right now you are only allowing the following subnets:

static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0

static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0

no 192.168.0.0 is defined. Or you can change the mask in the acl to say for eg.

access-list dmz1 extended permit tcp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain

Note: the mask changed.

qbakies11 · ‎06-12-2008

I tried both of the above suggestions and neither of them worked.

ROBERT DERY · ‎06-12-2008

Sorry, didn't read the full question as you are trying to get there via name. Do a packet trace in the gui and it will tell you exactly where it fails.

qbakies11 · ‎06-12-2008

I did a packet trace through the ASDM and got the following:

Result - The packet is dropped.

Info: (inspect-dns-invalid-pak) DNS Inspect invalid packet

Does this mean I need to do something to the inspection list?

Farrukh Haroon · ‎06-12-2008

Can you post the packet-tracer output?

packet-tracer input DMZ1 udp 192.168.0.5 1025 192.168.200.21 53 detailed

also "show run all policy-map"

Regards

Farrukh

qbakies11 · ‎06-12-2008

Below is the output from those commands. I changed the 192.168.0.5 to 192.168.0.25 because it is actually the IP of my webserver in the DMZ.

EDIT: I had to attach the results in the following message. Please see below for the attachment. Thank you.

qbakies11 · ‎06-12-2008

I had to attach the results because they were to large. They are attached here.

Farrukh Haroon · ‎06-12-2008

This output you are seeing sees normal (because we are sending a NON-DNS packet on the DNS port), try to add the following lines in your config:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

no message-length maximum server

no message-length maximum client

no dns-guard

no protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

Or even

policy-map global_policy

class inspection_default

no inspect dns migrated_dns_map_1

Regards

Farrukh

qbakies11 · ‎06-12-2008

I tried to adjust the inspect dns parameters and that didn't work so I completely removed the inspect dns entry and that did not work either. I still get the same 'DNS Inspect invalid packet'.

Farrukh Haroon · ‎06-12-2008

No please stop using the packet-tracer.

Now use that DMZ machine to do an actual nslookup

Regards.

Farrukh

qbakies11 · ‎06-12-2008

That worked. Thank you.

Farrukh Haroon · ‎06-12-2008

Ok great. If you like you can put the DNS map back, and try which of those commands was actually causing the problem by enabling one at a time and then checking. The 512 limit, the protocol enforcement or dns-guard. Just make sure you do clear local-host after every change

Regards

Farrukh