I'm having a hard time diagnosing an issue with DNS resolution across an IPSEC VPN. This setup was working at one time but now it's not. I have a 5505 with easyvpn connecting to a VPN concentrator (cisco 3000), and the workstation shows that DNS is set to my internal corp DNS server, the DNS server is pingable, I can even telnet across VPN to the internal DNS server on port 53, but it will not resolve anything. When I do an nslookup it times out. I don't understand what is causing the failure as this setup was working once before. I see the DNS UDP packets hitting the asa 5505 on the way out, but sniffing on the DNS server I never see the queries arrive. This issue is occuring to mulitple workstations all using the same config below in different regions. Both internal and external resolution are failing. Please assist. Thanks!
Example config on ASA 5505
ip address 192.168.11.113 255.255.255.240
ip address dhcp setroute
switchport access vlan 2
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
pager lines 24
logging buffer-size 16000
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server communit xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 30
dhcpd lease 86400
dhcpd domain xxxxx
dhcpd auto_config outside
dhcpd option 150 ip 10.20.20.11 10.20.20.12
dhcpd address 192.168.11.114-192.168.11.125 inside
dhcpd dns 10.20.16.4 10.20.16.3 interface inside
dhcpd domain xxxxx interface inside
dhcpd enable inside
vpnclient server xxxxx
vpnclient mode network-extension-mode
vpnclient vpngroup HomeNetworkVPN password xxxxxx
vpnclient username xxxxx password xxxxxx
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.20.0.1 source inside prefer
username xxxx passwordxxxxxx encrypted privilege 15
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
I'll check the switch directly connected to the DNS server to see if there are DNS packets for the source IP in question. The server is behind the ASA.
Another oddity... If I do an NSLOOKUP on the workstation that is behind the 5505 ASA I get DNS request timed out. If I use the server command to try and change the DNS server on the workstation to google's public DNS it fails as well. Seems as if the problem may be on the 5505ASA
Pls check if your dns is working properly. Nslookup should work locally without error.
One reason might be that reverse dns is not working properly or might be mis configured.
Depending on your os you might have to open udp on port 53 as well.
Sent from Cisco Technical Support Android App
Pls rate useful posts.
I cannot change my dns server to google's public dns of 22.214.171.124 while behind the firewall. As soon as I plug into my home router and bypass the firewall I can change to the public dns server and everything works fine. It seems as if the 5505 is blocking dns queries on the inside interface. Please help!
May I know why you have "dhcpd dns 10.20.16.4 10.20.16.3 interface inside" as your DNS servers?
Your LAN is 192.168.11.x, so can you ping the 10.20.16.4. IP or the 10.20.16.3?
Add the following:
logging buffered debugging
Then do a "nslookup", after this test check the "show log" output.
Also please do the following:
capture capin interface inside match udp 192.168.11.0 255.255.255.0 any eq 53
Then "show capture capin".
Let us know.
I resolved the issue by creating a new group on the VPN concentrator and moving the asa's into the new group. The new group has the same exact configuration as the old group so I'm not sure why this fixed the issue. Thanks for everyone's help.