Forward DNS queries on ASA 5505

jake-savage · ‎06-04-2007

I just bought an ASA 5505 to use at home. I'm replacing an old Linksys Cable/DSL router. I'm having some trouble configuring it to forward DNS queries from internal machines to the DNS server at the ISP. The ASA's outside interface is connected to a cable modem and pulls it's IP via DHCP.

Internal machines get DNS from a pool but I've been forced to actually look up the DNS servers for the ISP and add them to the pool. Is there a way to set the DNS server as the IP of the ASA and have it just forward the requests to the ISP's servers?

Here's my config. It's pretty basic.

chizzle-mang# sh run

: Saved

:

ASA Version 7.2(2)

!

hostname chizzle-mang

enable password

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.117.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd

ftp mode passive

access-list outside-in extended permit gre any interface outside

access-list outside-in extended permit tcp any interface outside eq 6112

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor warnings

logging buffered warnings

logging trap warnings

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) interface 192.168.117.105 netmask 255.255.255.255

access-group outside-in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.117.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.117.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 68.x.x.130 68.87.72.130

dhcpd auto_config outside

!

dhcpd address 192.168.117.100-192.168.117.131 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

chizzle-mang#

And here's the DHCP info on the outside interface...I see that it knows about the DNS servers.

chizzle-mang# sh ip addr out dhcp server

DHCP server: ANY (255.255.255.255)

Leases: 1

Offers: 0 Requests: 0 Acks: 0 Naks: 0

Declines: 0 Releases: 0 Bad: 0

DHCP server: 68.x.x.10

Leases: 1

Offers: 1 Requests: 10 Acks: 8 Naks: 0

Declines: 0 Releases: 0 Bad: 0

DNS0: 68.87.77.130, DNS1: 68.87.72.130

Subnet: 255.255.248.0 DNS Domain: hsd1.mn.comcast.net.

chizzle-mang#

cmcbride · ‎06-05-2007

The dhcpd auto_config outside command should take care of this problem for you. What happens if you remove the 'dhcpd dns' configuration? With no dhcpd dns configured, and the auto_config enabled, the dns settings are supposed to pass through.