https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867984#M1102331 <P>DNS UDP port 53 is closed according to above packet tracer,&nbsp;<BR />there is any ACL apply to INside interface ?</P> Wed, 05 Jul 2023 13:03:31 GMT MHM Cisco World 2023-07-05T13:03:31Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867968#M1102325 <P>I have Firepower 1140 running ASA code 9.14.1 .</P><P>when i ping 8.8.8.8 its happening but when i ping wwwogoogle.com or tools.cisco.com its not pinging.</P><P>i have attached the log files along with debug dns as attachment for reference , let me know what i can do</P><P>i have configured default DNS for domain lookup outside for dns 8.8.8.8, 4.2.2.2,&nbsp;<SPAN>208.67.222.222 208.67.220.220.</SPAN></P><P><SPAN>Need some help Since TAC has refused assistance as this is a new deployment.&nbsp;</SPAN></P> Wed, 05 Jul 2023 12:48:34 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867968#M1102325 Singh007 2023-07-05T12:48:34Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867969#M1102326 <P>attached file for reference</P> Wed, 05 Jul 2023 12:49:14 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867969#M1102326 Singh007 2023-07-05T12:49:14Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867971#M1102327 <P>i have tried to ping tools.cisco.com ip&nbsp;72.163.4.38 and its working and attached in the file for reference</P> Wed, 05 Jul 2023 12:52:13 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867971#M1102327 Singh007 2023-07-05T12:52:13Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867977#M1102328 <P>you control this FPR with FMC ?</P> Wed, 05 Jul 2023 12:55:41 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867977#M1102328 MHM Cisco World 2023-07-05T12:55:41Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867978#M1102329 <P>i also tried doing packet-tracer for 8.8.8.8 but hitting implicit deny:</P><P>packet-tracer input outside udp 103.48.47.20 56789 8.8.8.8 53 detailed</P><P>Phase: 1<BR />Type: INPUT-ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found next-hop 103.48.47.1 using egress ifc outside</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fd6b645cb90, priority=501, domain=permit, deny=true<BR />hits=8, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=103.48.47.20, mask=255.255.255.255, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055c94e727680 flow (NA)/NA</P> Wed, 05 Jul 2023 12:56:29 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867978#M1102329 Singh007 2023-07-05T12:56:29Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867984#M1102331 <P>DNS UDP port 53 is closed according to above packet tracer,&nbsp;<BR />there is any ACL apply to INside interface ?</P> Wed, 05 Jul 2023 13:03:31 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4867984#M1102331 MHM Cisco World 2023-07-05T13:03:31Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4868750#M1102359 <P>this is a new implementation, the two other firewalls fpr 1010 is working fine with same DNS config. But this is not working.</P><P>This will be managed by ASDM , but currently its working only via CLI</P> Thu, 06 Jul 2023 08:52:14 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4868750#M1102359 Singh007 2023-07-06T08:52:14Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4868756#M1102360 <P>Share full config if you use cli</P> <P>Thanks&nbsp;</P> <P>MHM</P> Thu, 06 Jul 2023 09:02:21 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4868756#M1102360 MHM Cisco World 2023-07-06T09:02:21Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4869844#M1102397 <P>You should specify the inside interface in the packet tracer not the outside one. Also, could you please try to remove the domain name from the DNS group and try again?</P> Fri, 07 Jul 2023 15:59:58 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4869844#M1102397 Aref Alsouqi 2023-07-07T15:59:58Z https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4869867#M1102402 <P>totally correct He must use INside not OUTside</P> Fri, 07 Jul 2023 16:48:35 GMT https://community.cisco.com/t5/network-security/firepower-1140-dns-hostname-resolution-issue/m-p/4869867#M1102402 MHM Cisco World 2023-07-07T16:48:35Z