topic Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS in Network Security

Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Tue, 03 Nov 2020 16:24:08 GMT

Hi there,

i am using Cisco ASA 5520, i am facing an issue, when i am giving IP address on client machine and DNS of 8.8.8.8 in the DNS part then users are able to access the internet, but when i am removing that DNS 8.8.8.8 then users are not able to use the internet,

i have a Domain controller which IP is also configured in client machine to connect then with domain but when i add 8.8.8.8 with the domain controller DNS then users are not able to use domain controller shared resources properly.

the details for the CISCO ASA network is given below for better understanding.

CISCO ASA Inside = 192.168.2.40

Cisco ASA Outside = 172.0.0.16 (for example)

Domain Controller = 192.168.2.2

i want to set it up, if i give then DNS of 192.168.2.2 then internet should work on clients without giving 8.8.8.8.

i have already added a DNS in Cisco ASA through the commands given below

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.2

domain-name DARSPN.LOCAL

with these settings i believe internet should work on client machine after mentioning the given below IP Settings.

IP = 192.168.2.10

Subnet = 255.255.255.0

Gateway = 192.168.2.40

DNS = 192.168.2.2

but on client machine, internet is not working, but whenever i give then DNS 8.8.8.8 then internet start working on the client machines, i want to make it work without giving the 8.8.8.8 DNS.

NAT rule is also configured but still clients are not able to connect through internet

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

MHM Cisco World — Tue, 03 Nov 2020 17:11:51 GMT

Client can connect the Domain Name Server directly i.e. they connect to SW and SW connect to ASA?

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Tue, 03 Nov 2020 17:53:00 GMT

@MHM Cisco Worldi did not get your point, can you explain it to me. what is SW ?

and currently my client IP setting on which internet is working is given below for your kind consideration.

IP = 192.168.2.10
Subnet = 255.255.255.0

Gateway = 192.168.2.40

DNS1 = 192.168.2.2

DNS2 = 8.8.8.8

with the IP Settings give above client can access the internet but when i remove the DNS2 which is 8.8.8.8 then client is not able to use the internet. i dont know how to make it work to give the internet connectivity to client with only one DNS which is 192.168.2.2 or using the same Gateway IP in DNS2 as well.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Tue, 03 Nov 2020 17:58:20 GMT

Are you running the DNS service on the domain controller? If you are not running the DNS service you will not be able to connect to the internet using URLs when you configure the domain controller as the DNS server for clients.

I just want to add, it is not a good practice having the DNS server on the domain controller. DNS should be on a separate server.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Tue, 03 Nov 2020 18:01:30 GMT

@Marius Gunnerudi have a DNS installed on the domain controller, i have resources problem thats why i am using DNS DHCP and AD on one same server,

isnt there anyway i can do these settings.

or another approach is, can i configure it like that in which i can use the Cisco ASA IP which is 192.168.2.40 in the DNS part to make internet working on client side ?

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Tue, 03 Nov 2020 18:05:06 GMT

Is the Server able to resolve domains? for example, if you open the command prompt and enter nslookup google.com do you get a reply that shows the IP of google.com?

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Tue, 03 Nov 2020 18:08:09 GMT

@Marius Gunnerudno i am not able to get proper response when i do nslookup for google.com or any other website, because right now i am not using internet on the domain controller, but even when i allow internet access on domain controller at that time i am still not able to lookup google.com except only the clients which are inside the domain darson.local.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Tue, 03 Nov 2020 18:36:44 GMT

The issue is that the DNS server doesn't know where to find information when performing lookups. What do you access rules on the ASA look like for access from the DNS server to internet? My guess is that DNS request traffic is being blocked from the DNS towards internet.

Check the rules on the firewall and make sure that at least UDP/53 is allowed from the DNS server towards the internet, then add 8.8.8.8 as a DNS on the server, and test again.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Wed, 04 Nov 2020 07:09:08 GMT

@Marius Gunnerudi have added a UDP port 523 rule in firewall in windows domain controller, and added dns 8.8.8.8 in ip settings, i can access the internet, but i am not able to lookup for google.com, hotmail.com anything, but internet is working on the client, i am trying to add dns forwarder in dns its resolving 8.8.8.8 to dns.google.com but when i am applying the settings its giving me error and after i click on OK button and then apply, after applying when i come to dns forwarder again the 8.8.8.8 entry doesnt show there, i am attaching screen shot please check and acknowledge please.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Wed, 04 Nov 2020 07:49:29 GMT

When I asked about if port UDP/53 was opened for in the firewall, I did not mean the Windows firewall, but instead the ASA firewall.

However, it sounds like your server is not performing recursive lookup. Try the following troubleshoot steps that I found on Microsoft support site.

https://docs.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/troubleshoot-dns-server#to-view-the-current-root-hints

Checking for recursion problems

For recursion to work successfully, all DNS servers that are used in the path of a recursive query must be able to respond and forward correct data. If they can't, a recursive query can fail for any of the following reasons:

The query times out before it can be completed.
A server that's used during the query fails to respond.
A server that's used during the query provides incorrect data.

Start troubleshooting at the server that was used in your original query. Check whether this server forwards queries to another server by examining the Forwarders tab in the server properties in the DNS console. If the Enable forwarders check box is selected, and one or more servers are listed, this server forwards queries.

If this server does forward queries to another server, check for problems that affect the server to which this server forwards queries. To check for problems, see Check DNS Server problems. When that section instructs you to perform a task on the client, perform it on the server instead.

If the server is healthy and can forward queries, repeat this step, and examine the server to which this server forwards queries.

If this server does not forward queries to another server, test whether this server can query a root server. To do this, run the following command:

cmd

nslookup
server <IP address of server being examined>
set q=NS

If the resolver returns the IP address of a root server, you probably have a broken delegation between the root server and the name or IP address that you're trying to resolve. Follow the Test a broken delegation procedure to determine where you have a broken delegation.
If the resolver returns a "Request to server timed out" response, check whether the root hints point to functioning root servers. To do this, use the To view the current root hints procedure. If the root hints do point to functioning root servers, you might have a network problem, or the server might use an advanced firewall configuration that prevents the resolver from querying the server, as described in the Check DNS server problems section. It's also possible that the recursive time-out default is too short.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Wed, 04 Nov 2020 09:00:47 GMT

@Marius Gunnerudi have done some steps, i have removed my domain contoller IP which is 192.168.2.2 from forwarder, and i have added only 8.8.8.8 in forwarder and also deleted all the root hints and applied and save the settings. now i am able to do nslookup on everything (my internal clients, www.google.com, www.hotmail.com) a screen shot is attached for your kind consideration. please check and acknowledge and tell me what further i should do to give users internet access without mentioning the 8.8.8.8 in secondary dns ip. i want internet work on client with the primarry dns which is 192.168.2.2 and gateway which is 192.168.2.40 cisco asa. i appreciated your concern.

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Wed, 04 Nov 2020 10:20:52 GMT

Have you tested to see if the clients now can resolve URLs and browse to websites using 192.168.2.2 DNS server only? You should be able to now. The DNS server needs a global open resolver to lookup URLs that are not locally defined in its DNS records, so you need to have google DNS or some other DNS configured (for exmple Umbrella 208.67.222.222, 208.67.220.220). I would recommend using Umbrella.

But all in all, you should be good to go now once you have set the clients to receive DHCP assigned IP, DNS, and default gateway

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Cash2106 — Wed, 04 Nov 2020 11:30:10 GMT

@Marius Gunnerudreally appreciated your concern, the issue is resolved now, users are not able to use internet with the DNS 192.168.2.2

i am sure this worked because i have enable the DNS services in cisco asa

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.2

domain-name DARSPN.LOCAL

and because of these settings internet is working when we are giving 192.168.2.2 in primary dns server. just want to confirm it if i am right or wrong.

anyway thanks for your concern and support .. really appreciated. you made my life easy ...

Re: Cisco ASA 5520 Internet Access With Gateway IP as DNS

Marius Gunnerud — Wed, 04 Nov 2020 11:37:01 GMT

Thank you for rating and selecting the answer!

The DNS configuration on ASA is only locally significant to the ASA. That is, the ASA only uses this for domain lookups that it needs to do itself. So if you need to ping google.com from the ASA, for example, then you would need to have this configuration. So, it will not have any affect on client traffic.