Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Forward DNS queries on ASA 5505

I just bought an ASA 5505 to use at home. I'm replacing an old Linksys Cable/DSL router. I'm having some trouble configuring it to forward DNS queries from internal machines to the DNS server at the ISP. The ASA's outside interface is connected to a cable modem and pulls it's IP via DHCP.

Internal machines get DNS from a pool but I've been forced to actually look up the DNS servers for the ISP and add them to the pool. Is there a way to set the DNS server as the IP of the ASA and have it just forward the requests to the ISP's servers?

Here's my config. It's pretty basic.

chizzle-mang# sh run

: Saved


ASA Version 7.2(2)


hostname chizzle-mang

enable password



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7



ftp mode passive

access-list outside-in extended permit gre any interface outside

access-list outside-in extended permit tcp any interface outside eq 6112

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor warnings

logging buffered warnings

logging trap warnings

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) interface netmask

access-group outside-in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 68.x.x.130

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end


And here's the DHCP info on the outside interface...I see that it knows about the DNS servers.

chizzle-mang# sh ip addr out dhcp server

DHCP server: ANY (

Leases: 1

Offers: 0 Requests: 0 Acks: 0 Naks: 0

Declines: 0 Releases: 0 Bad: 0

DHCP server: 68.x.x.10

Leases: 1

Offers: 1 Requests: 10 Acks: 8 Naks: 0

Declines: 0 Releases: 0 Bad: 0

DNS0:, DNS1:

Subnet: DNS Domain:


New Member

Re: Forward DNS queries on ASA 5505

The dhcpd auto_config outside command should take care of this problem for you. What happens if you remove the 'dhcpd dns' configuration? With no dhcpd dns configured, and the auto_config enabled, the dns settings are supposed to pass through.

CreatePlease to create content