Running on a ASA 5520, I can not figure out how to allow external DNS request.
Did a NAT for 53 udp and tcp and created a rule for this.
But it does not allow the traffic.
The internal DNS is btw working.
What is the best way to do this?
Regards, Lars.
Can you show us the config? Are you getting hits on the acl? Is the DNS server seeing the inbound traffic? Can it talk to the outside world?
Chris.
"chris" skrev i en meddelelse news: snipped-for-privacy@karoo.co.uk...
Used ASDM 5.0 for to config it.
I tried this (show running config):
dns retries 2 dns timeout 2 dns domain-lookup outside dns domain-lookup inside dns name-server a.b.c.d
(a.b.c.d is internal DNS server)
It did not work.
Then tried:
static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
255.255.255.255 static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask 255.255.255.255q.w.e.r is the public IP of the internal DNS.
Also did a security policy, but it does not show up in the access list.
No.
Yes. The problem is the config on the Cisco.
Regards, Lars.
Nothing to do with allowing inbound DNS queries to your server!
If you are port forwarding from your external IP address to the DNS server then I think that you are supposed to use the keyword "interface" rather than the external IP address.
If it doesn't show up in the access list then the chances are that it isn't in there, therefore no traffic to your server!
"chris" skrev i en meddelelse news: snipped-for-privacy@karoo.co.uk...
What is it used for then?
I have severel IP addresses. If I use "interface" - how can the Cisco then know which IP address to use?
You are right - but why does it not show up? The policy is created in ASDM and I did an "apply" - and I still can see them in ASDM. Could it be that the Cisco does not allow it to be created because some proxy is doing the DNS job?
Regards, Lars.
"Lars Bonnesen" skrev i en meddelelse news:44376350$0$849$ snipped-for-privacy@dread14.news.tele.dk...
Sorry - it is in fact listed in the access list:
access-list OUTSIDEIN extended permit tcp any eq domain host z.x.c.v eq domain access-list OUTSIDEIN extended permit udp any eq domain host z.x.c.v eq domain
But is it listed with the public IP - I was looking for a private IP, because the policy in ASDM was created from any outside to localIP inside.
Why isn't it working?
Regards, Lars.
DNS resolution for the Pix.
Becuase you are specifying the *internal* IP address in the static. The "interface" keyword is for when you are port forwarding from the *external* interface IP address.
ie. if I have a web server on 192.168.10.1 and a mail server on 192.168.10.2 then I might use ..
static (inside,outside) tcp interface 80 192.168.10.1 80 netmask
255.255.255.255static (inside,outside) tcp interface 25 192.168.10.2 25 netmask
255.255.255.255Requets to the external IP address on port 80 would go to .1 and requests to the same external IP address on port 25 would go to .2
Chris.
Because traffic from the outside will be sent to the public IP, not the private one!
Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept external queries? Maybe the access list isn't applied to the interface?
You really need to look at the logging on the firewall when you try external access to the DNS server. if traffic is being dropped by the ACL then you'll see that in the logs.
What's the IP address of your external interface?
Chris.
"chris" skrev i en meddelelse news: snipped-for-privacy@karoo.co.uk...
My god, how dumb I am.... I didn't allow outgoing DNS lookup to that address from the LAN I am sitting on (another one). The Cisco config is working correctly.
Sorry for the inconvienience and thank you for trying...
Glad to hear that it's working. The answer is usually something simple ;-)
Chris.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.