Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DNS through DMZ not working

I have a DMZ on my ASA 5510 that is working for everything except internal DNS. If I try to ping an internal IP of 192.168.200.10 it responds but if I try to ping that IP by name it won't resolve.

This is the DMZ related part of the config:

static (Inside,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0

static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.15 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.45 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.61 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.51 eq 54321

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.100.7 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.3 eq www

access-list dmz1 extended permit icmp any any echo

access-list dmz1 extended permit icmp any any echo-reply

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list dmz1 extended permit ip any any

I believe that I'm allowing DNS through the 'eq domain' statements above but the only way I have had to create a host file on the DMZ server to get it working. Any thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DNS through DMZ not working

No please stop using the packet-tracer.

Now use that DMZ machine to do an actual nslookup

Regards.

Farrukh

16 REPLIES
Community Member

Re: DNS through DMZ not working

Define which subnet you want to come in in the acl as right now all you have is 192.168.0.x 255.255.255.0 allowed for dns.

Hope it helps

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

Community Member

Re: DNS through DMZ not working

I do not understand what you are trying to say.

Doesn't my statement allow anything in the 192.168.0.0/24 subnet to pass DNS to 192.168.200.21?

Community Member

Re: DNS through DMZ not working

Right now you are only allowing the following subnets:

static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0

static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0

no 192.168.0.0 is defined. Or you can change the mask in the acl to say for eg.

access-list dmz1 extended permit tcp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain

Note: the mask changed.

Community Member

Re: DNS through DMZ not working

I tried both of the above suggestions and neither of them worked.

Community Member

Re: DNS through DMZ not working

Sorry, didn't read the full question as you are trying to get there via name. Do a packet trace in the gui and it will tell you exactly where it fails.

Community Member

Re: DNS through DMZ not working

I did a packet trace through the ASDM and got the following:

Result - The packet is dropped.

Info: (inspect-dns-invalid-pak) DNS Inspect invalid packet

Does this mean I need to do something to the inspection list?

Re: DNS through DMZ not working

Can you post the packet-tracer output?

packet-tracer input DMZ1 udp 192.168.0.5 1025 192.168.200.21 53 detailed

also "show run all policy-map"

Regards

Farrukh

Community Member

Re: DNS through DMZ not working

Below is the output from those commands. I changed the 192.168.0.5 to 192.168.0.25 because it is actually the IP of my webserver in the DMZ.

EDIT: I had to attach the results in the following message. Please see below for the attachment. Thank you.

Community Member

Re: DNS through DMZ not working

I had to attach the results because they were to large. They are attached here.

Re: DNS through DMZ not working

This output you are seeing sees normal (because we are sending a NON-DNS packet on the DNS port), try to add the following lines in your config:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

no message-length maximum server

no message-length maximum client

no dns-guard

no protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

Or even

policy-map global_policy

class inspection_default

no inspect dns migrated_dns_map_1

Regards

Farrukh

Community Member

Re: DNS through DMZ not working

I tried to adjust the inspect dns parameters and that didn't work so I completely removed the inspect dns entry and that did not work either. I still get the same 'DNS Inspect invalid packet'.

Re: DNS through DMZ not working

No please stop using the packet-tracer.

Now use that DMZ machine to do an actual nslookup

Regards.

Farrukh

Community Member

Re: DNS through DMZ not working

That worked. Thank you.

Re: DNS through DMZ not working

Ok great. If you like you can put the DNS map back, and try which of those commands was actually causing the problem by enabling one at a time and then checking. The 512 limit, the protocol enforcement or dns-guard. Just make sure you do clear local-host after every change

Regards

Farrukh

Community Member

Re: DNS through DMZ not working

This issue was giving me a hard time too. I tried your fix and it worked great. Thanks Farrukh! Your posts are always helpful.

And.... what's up with the packet tracer? Some times it's helpful and other times it's very misleading.

Re: DNS through DMZ not working

The packet-tracer was just used to make sure the firewall function is OK. It does not really generate a 'valid DNS packet', so it not be a proper test. Thats why I asked to stop using the packter tracer and test using real DNS packet.

Anyway I'm glad I could help :)

Regards

Farrukh

347
Views
0
Helpful
16
Replies
CreatePlease to create content