Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns server at 172.X.X.X (this is in Inside) on the Cisco ASA. Please help me with the command.

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns server at 172.X.X.X (this is in Inside) on the Cisco ASA. Please help me with the command.

8 REPLIES

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

access-list DMZ-OUT extended permit udp host 172.x.x.x  host 172.x.x.x eq 53

or

access-list DMZ-OUT extended permit udp 172.x.x.x  255.255.x.x 172.x.x.x 255.255.x.x eq 53

New Member

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

Thank you Ton

I entered "access-list DMZ_in extended permit tcp host 172.X.X.X host 172.X.X.X eq domain" as the DNS is on the Inside interface but I could not see any hit count.

Anything I need to change?

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

Do you have an access group on your inside interface to activate the acl? 

Something like:

access-group DMZ_in in interface inside

It might be wise to post part of your config to have a better understanding how things are routed to.

New Member

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

172.16.239.29 (Host on DMZ) should communicate with 172.16.230.54 (DNS on Inside Interface) on port 53:

Here is some part of the relevant configuration:

name-server napridc01
-------------------------------------------
object-group network ADServers
network-object napridc01 255.255.255.255
network-object napridc02 255.255.255.255
network-object host napridc03
-------------------------------------------
object-group network localTimeServers
network-object host napridc01
network-object host napridc02
-------------------------------------------
NAPRIFWL01# sh run | include 172.16.239.29
access-list DMZ_in extended permit tcp host 172.16.239.29 host 172.16.230.54 eq domain
static (DMZ,Outside) 209.242.68.29 172.16.239.29 netmask 255.255.255.255
-------------------------------------------
NAPRIFWL01# sh run | include 172.16.230.54
access-list DMZ_in extended permit tcp host 172.16.239.35 host 172.16.230.54 eq domain
access-list DMZ_in extended permit tcp host 172.16.239.29 host 172.16.230.54 eq domain
aaa-server VPNEUAD_Auth (Inside) host 172.16.230.54
dns-server value 172.16.230.54

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

I see that you use tcp for permitting port 53. Try and test this with udp, could be thats your issue.

New Member

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

Thank you, I will try and let you know. Thanks for the help Ton..

Re: I need 172.X.X.X (this is in DMZ) to reach port 53 of the dn

Good luck

What you could do to test your current config:

do a telnet from the server in the dmz to the dns server on port  53 > telnet 172.16.230.54 53 (from a dosbox)

If you see a hit, you know that the acl is working for tcp on port 53.

Then you can create an acl entry which then permits dns for udp on port 53.

If you dont get a hit, there is a routing or NAT issue.

New Member

I need 172.X.X.X (this is in DMZ) to reach port 53 of the dns se

Gotcha.. thank you..

843
Views
0
Helpful
8
Replies
CreatePlease to create content