02-15-2009 08:00 AM - edited 03-09-2019 10:02 PM
Currently i have a cisco 5510 configured as firewall. But my internal DNS is not allowed DNS forwarder hence my server and client PC can't access internet with the internal DNS configure as a primaty DNS. So, do i have any chance to configure the ASA 5510 as DNS forwarder?
02-16-2009 02:12 AM
Your DNS server should query the DNS root servers or sub servers for any domain/names it does not know.
The Firewall on a basic config will allow DNS queries out to the internet, so this would indicate 2 things:-
1) Your DNS server is not setup correctly.
2) You have configured the firewall to block DNS.
Post your firwall config for review.
02-16-2009 07:11 AM
For you information, my company policy is to remove all the root hint on the DNS server. And add it as a additional scope in the DNS scope. For sure, once I configure to do a forwarding on my DNS server to ISP dns, my server and clients are able to surf internet. From this point, the DNS server should be configure properly. All our sub server also doing the same setting. I have posted my firewall config here for you review.
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 58.185.93.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.105 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group service InternetAccess tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq ftp
port-object eq ftp-data
access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 object-group InternetAccess any object-group InternetAccess
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 172.16.0.0 255.255.0.0 any
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 58.185.93.19 netmask 255.0.0.0
nat (inside) 1 172.16.0.0 255.255.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 58.185.93.17 1
timeout xlate 3:00:00
http server enable
http 192.168.1.0 255.255.255.0 management
02-16-2009 07:16 AM
I do not understand your issue then - you have answered you own question?
02-18-2009 05:13 AM
It's ok. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide