Isnt that what I have sent?

Well, I have now managed to get it working. The only downside is that my internet stops working. I added an exempt NAT rule, and suddenly everything worked in packet tracing.

It seems to me that my server on the inside is nolonger capable of retreiving DNS lookups. Cached DNS is working just fine, but new requests are not working. I have an Active directory on the inside, and my clients are using this server as a DNS-server. The DNS-server forwards requests for external domains to the DNS-server at my ISP. This is no longer working when I put on the Exempt rule.

Hi there,

Is your internet not working, or is DNS not working?

For example, if you open a web browser and attempt to go to http://64.233.187.99 Does that get you to Google?

I have an idea of what might be wrong, but I need you to confirm that for me first.

Mike

My internet has stopped working because my DNS has stopped working. I cannot resolve DNS-addresses anymore, and only cached DNS lookups is working. I have not tried to do what you propose, but my guess is that this should work.

BTW, the config I posted is not the same anymore. I have done many adjustments to make it work.

Please post your updated config if you'd like assistance with this.

Also, you may want to look into the fact that sometimes Cisco security devices block UDP DNS packets that are larger than 512 bytes (EDNS0).

You can turn off Extension Mechanisms for DNS on Windows 2003 by entering the following command from the command line:

dnscmd Server Name/Config /EnableEDnsProbes 0

I had this problem with a Windows 2003 DNS server looking up external entries, and the above command solved it for me.

But your problem may be different. Post the config if you're still having problems.

HTH

Mike

Hi, Here is the config for the ASA. I tried what you said, and by browsing the IP-address google showed right up. I also checked my 2k3 server and it was configured to forward DNS lookups to 192.168.1.1. Changed this to my ISPs DNS, but no change. Deleted the Exempt rule, to try to connect to internet, but it seems that the dns error sticks with the asa. The command you mention seems logical, but what kind of implications will this have for my internal dns-lookups and Active Directory?

ASA Version 8.0(3)

!

hostname ciscoasa

domain-name xxx.xx

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan5

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.x.x 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name xxx.xx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service rdp tcp

port-object eq 3389

access-list outside_access_in extended permit tcp any eq smtp host 192.168.1.x eq smtp

access-list outside_access_in extended permit tcp any eq www host 192.168.1.x eq www

access-list outside_access_in extended permit tcp any eq https host 192.168.1.x eq https

access-list outside_access_in extended permit tcp any object-group rdp host 192.168.1.x object-group rdp

access-list inside_nat0_outbound extended permit ip host 192.168.1.x any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

!

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

It should have no implications on your DNS service, as that solution comes from Microsoft themselves:

http://support.microsoft.com/kb/828263/en-us

Your DNS forwarders should definitely be set to your ISP's servers, and not internal or the ASA.

Just to verify, in the network adapter for your server, you've got it set with a static IP, and what do you have for a DNS server? I'm assuming this same server is also a Domain Controller.

Also, if you setup a laptop or desktop on the network, assign it an IP on your LAN, but set the DNS servers to your ISP's servers (external). See if that will resolve domain names. If so, then the problem is with your server's DNS service (Which I can fix...I've seen this before).

Back to your config, I'll need a little while to look at it. But let me know about the server. (I realize this is turning into more Microsoft than Cisco right now :-)

Hi,

Yes, I found that article myself, and ran the command but no change. I will try what you suggest tonight(GMT+1)

You are absolutely right about the server. It has static IP,and is also a Domain contoller running Windows 2003 Service pack 1 with Exchange 2003 SP2.

I have seen what you are decribing before, and whether or not the test I gave you works will let me know for sure. I'm starting to think that the ASA is not the problem, and your Windows DNS is.

Basically, you want to make sure your internal DNS is set up appropriately.

On your server:

1) In the TCP/IP properties of the network adapter, for DNS servers you want to supply the first DNS Server field with the server's OWN IP address. Make sure not to do 127.0.0.1, but it's actual internal IP address (192.168.1.1, or whatever it is). Don't put anything in the 2nd box...just leave it blank.

2) While you're in the TCP/IP properties, click on the Advanced button at the bottom, and then go to the DNS tab. In there, first make sure there is only 1 DNS server listed (your server's IP address) in the DNS servers box.

Then, make sure the first 2 radio buttons are checked (Append Primary and Conn... and Append Parent Suffix...). At the bottom, check Register this Connection's address in DNS.

3) In the DNS service snap-in, make sure your IP forwarders are your ISP's DNS servers IP addresses (And nothing else.) I use 5 Seconds before Timeout, and "Do Not use Recursion" is NOT checked.

On the "Interfaces" tab, I have it set to Listen on All IP Addresses, even though there is only 1.

Let me know how you make out.

Mike

All the settings were exactly like you described in my DNS-settings, on my server. Using my ISP's DNS-addresses on my clients did not work either.

This case started out as a case about port forwarding, and I did manage to get that to work,according to the packet tracing anyway. Odd behaviour before, during and later from the ASA, and losing my internet connection completely almost everytime I try to fix the problems, leaves me thinking that it is something physically wrong with it.

I have given it to one of my collegues so he can start over and see if he get it working. And then we will see. Thanks for all help.