06-04-2007 05:36 PM - edited 03-11-2019 03:24 AM
I just bought an ASA 5505 to use at home. I'm replacing an old Linksys Cable/DSL router. I'm having some trouble configuring it to forward DNS queries from internal machines to the DNS server at the ISP. The ASA's outside interface is connected to a cable modem and pulls it's IP via DHCP.
Internal machines get DNS from a pool but I've been forced to actually look up the DNS servers for the ISP and add them to the pool. Is there a way to set the DNS server as the IP of the ASA and have it just forward the requests to the ISP's servers?
Here's my config. It's pretty basic.
chizzle-mang# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname chizzle-mang
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.117.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
access-list outside-in extended permit gre any interface outside
access-list outside-in extended permit tcp any interface outside eq 6112
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.117.105 netmask 255.255.255.255
access-group outside-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.117.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.117.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.x.x.130 68.87.72.130
dhcpd auto_config outside
!
dhcpd address 192.168.117.100-192.168.117.131 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
chizzle-mang#
And here's the DHCP info on the outside interface...I see that it knows about the DNS servers.
chizzle-mang# sh ip addr out dhcp server
DHCP server: ANY (255.255.255.255)
Leases: 1
Offers: 0 Requests: 0 Acks: 0 Naks: 0
Declines: 0 Releases: 0 Bad: 0
DHCP server: 68.x.x.10
Leases: 1
Offers: 1 Requests: 10 Acks: 8 Naks: 0
Declines: 0 Releases: 0 Bad: 0
DNS0: 68.87.77.130, DNS1: 68.87.72.130
Subnet: 255.255.248.0 DNS Domain: hsd1.mn.comcast.net.
chizzle-mang#
06-05-2007 12:09 PM
The dhcpd auto_config outside command should take care of this problem for you. What happens if you remove the 'dhcpd dns' configuration? With no dhcpd dns configured, and the auto_config enabled, the dns settings are supposed to pass through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide