Upgraded from 6.3(1) to 6.3(3) and noticed my internal LAN cannot receive DNS replies from my DMZ positioned DNS server anymore.
Internal = 192.168.1.0/24
DMZ = 192.168.0.0/24
DMZ contains DNS server & Email server.
Email = 192.168.0.2 inside, a.b.c.1 outside
DNS = 192.168.0.3 inside, a.b.c.2 outside
Outside machines can access all DMZ resources using DNS or IP, but inside machines can only access DMZ resources by IP since the update (they used to be able to hit it via DNS as well).
The DNS server is configured to respond to internal requests with internal IP's (192.168.0.0/24) and respond to external requests with external IP's (a.b.c.0/148).
The only commands I have dealing with the link to the DMZ from the inside are:
access-list dmz permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
- and -
nat (inside) 0 access-list dmz
From my understanding, this should allow all queries from inside to DMZ and allow responses to those queries. Is this no longer the case, or did something else that's needed get whacked in the update (do I need to bind the access list to the dmz interface)?
From the internal host, if I do nslookup on an internal address, I get the correct DNS response. If I do nslookup against an external address, it times out.
For example, assume I have a mailserver called mail.domain.com on the DMZ at 192.168.0.1. If I do nslookup mail.domain.com, it correctly returns 192.168.0.1, but if I try nslookup www.cisco.com, it times out.
On the DNS machine itself (from within the DMZ), I can nslookup both internal and external addresses however, and all responses are 100% correct.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...