topic Thanks so much. Turns out I in Network Security

ASA 5506X with Firepower Not resolving DNS

jzkkn5 — Tue, 12 Mar 2019 13:22:29 GMT

I just installed the ASA 5506X with firepower

ASA Ver 9.6

Firepower ver 5.4.1-211

ASDM 7.6

I used the setup wiz in the ASDM to configure interfaces and Firepower management interface. All seem to work well and I have firepower up and running with IPS and other firepower policy running. I have one big issue however. The firepower module did not get a DNS server configured and there is no place in ASDM to configure a DNS. The results is that updates are not working as it can't resolve anything. I looked at the resolv.conf file in the firepower console and it is empty. I was going to add a nameserver entry but when I ran VI the keyboard mappings were not what I expected and so I quit with no save. Can someone help me to figure out how to configure DNS for the firepower module software?

I only have the one firewall and so I am managing it with ASDM and I do not have a management center VM running nor do I have the resource to spin one up.

You should be able to log

Marvin Rhoads — Thu, 27 Apr 2017 07:08:54 GMT

You should be able to log into the firepower module console prompt and add a DNS server there using the command "configure network dns servers" as shown below.

That will modify the necessary Linux bits behind the scenes.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5525 v6.2.0 (build 362)

> configure network

dns Configure DNS
hostname Set the hostname
http-proxy Configure HTTP Proxy settings
http-proxy-disable Disable HTTP Proxy settings
ipv4 Configure IPv4 networking
ipv6 Configure IPv6 networking
management-interface Change to Management Port Configuration Mode
management-port Change TCP port for management
static-routes Change to Static Route Configuration Mode

> configure network dns

searchdomains Configure DNS search domains
servers Configure DNS servers

> configure network dns servers

configure network dns servers dnslist ...
 Configure DNS servers

dnslist ... Comma-separated list of DNS servers

>

Thanks that was very helpful.

jzkkn5 — Thu, 27 Apr 2017 11:11:29 GMT

Thanks that was very helpful. I now show DNS servers in the resolv.conf and nslookup resolves now. I still am not getting updates however. When I go to updates in the ASA Firepower configuration and pick the rules tab for example then pick "Download new rule update from support site I get this error

Error
Connectivity problems. Unable to download rules.

You're welcome.

Marvin Rhoads — Thu, 27 Apr 2017 11:31:41 GMT

You're welcome.

Is the FirePOWER module address able to reach the Internet?

You need that - https connectivity and a NAT rule at a minumum.

If you have any proxy server, the module address must be exempted from that.

My setup is as follows

jzkkn5 — Thu, 27 Apr 2017 12:06:34 GMT

My setup is as follows

Outside SL 0 is connected to ISP

Inside SL 100 is 192.168.10.2 and Firpower module is 192.168.10.4 using 192.168.10.2 as default GW

I also have a DMZ SL 50 with 192.168.15.0/24

All networks are NATing out and clients on both inside and DMZ browse to internet just fine. I have both inside and firepower management interfaces plugged into the same Layer 2 switch on the same VLAN. It should be able to communicate as far as I can see on this configuration.

Thanks again for your time.

Yes that does sound correct

Marvin Rhoads — Thu, 27 Apr 2017 12:32:12 GMT

Yes that does sound correct and straightforward.

There is a more detailed troubleshooting technote here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html

The document is written for FirePOWER Management center but would apply to a FirePOWER module itself as well as in your case.

In short, they suggest some command line checks.

The key check is:

sudo openssl s_client -connect support.sourcefire.com:443
GET /

You will need to switch to expert mode on your module to run Linux commands.

Thanks so much. Turns out I

jzkkn5 — Thu, 27 Apr 2017 14:52:27 GMT

Thanks so much. Turns out I had to reboot the ASA before the DNS resolution started working after the updates to DNS. I am now able to down load updates.

Again Thanks for your help

Oh that's right. Sorry I

Marvin Rhoads — Thu, 27 Apr 2017 16:31:25 GMT

Oh that's right. Sorry I neglected to mention that.

There is a command to restart the resolver daemon that allows you do make that change less disruptively.

Drop into expert mode and then run the following command:

/etc/rc.d/init.d/nscd restart