topic Re: Hello; in Network Security

Firewall Blocking Dns Resolution

tonyk0001 — Tue, 12 Mar 2019 09:50:12 GMT

Hi Team,

I just configured an ASA 5516 at one of our client's office, It is below the edge router (not directly connected to the internet). I created three zones (LAN, OUTSIDE AND SERVERS). The OUTSIDE interface is connected to the edge router and the LAN interface goes to the user, The SERVER interface is connected the servers.

There are VPNs connected to the Router going to Branches, After configurations, All was well and I could reach every bit of the network but when I try to remote desktop the servers using their domain names, they fail but remote desktop with IPs accepts.

That happened when I put the dns 8.8.8.8 for internet resolutions among the dns IPs in the dhcp parameters but all works well when I remove it and when I remove it, the clients cant get to the internet.

Please advise on how to resolve this.

Hello;

Maykol Rojas — Thu, 17 Aug 2017 19:30:39 GMT

Hello;

I think the issue relies on the fact that the DNS server on 8.8.8.8 replies with the Public IP. If you are doing the RDP from the inside, it is going to fail no matter if the RDP server is on the Server interface or in the inside.

You can easily solve this doing the following:

nat (Server, LAN) source static <Object_Private> <Object_Public>

Let me know if you have any questions.

Mike.

Re: Hello;

tonyk0001 — Tue, 22 Aug 2017 14:57:06 GMT

Hi Mike,

I dnt want to do NAT like that I actually did No Nat. Without the Firewall.. The users are getting the internet dns from the ISP since they have a PPPOE connection to the ISP but when I introduce the Firewall... They able to ping the internet but cant browse.... How do I resolve that because I dont want to include the isp dns 8.8.8.8 or 4.2.2.2 in the dchp options... Kindly advise

Re: Hello;

Marvin Rhoads — Tue, 22 Aug 2017 16:27:01 GMT

If you want to resolve internal DNS names you need to give the clients an internal DNS server among their DHCP options.

Re: Hello;

tonyk0001 — Tue, 22 Aug 2017 16:34:07 GMT

Hi Marvin,

Thanks for that but that is what I did but unfortunately when I do that, The clients cant browse but dns resolution works.

The issue arises when I introduce another dns 8.8.8.8 or 4.2.2.2 for the internet browsing (without removing the Internal DNS ofcos).

Before the ASA the clients would browse the internet without introducing the 8.8.8.8 or 4.2.2.2 in the dhcp because they would get the Internet IP parameters through dhcp (pppoe) but now they are unable.

Regards

Tony

Re: Hello;

Marvin Rhoads — Wed, 23 Aug 2017 02:32:24 GMT

Is the internal DNS server that you attempted to add setup correctly with a forwarder setting to resolve non-local FQDNs?

Re: Hello;

tonyk0001 — Wed, 23 Aug 2017 06:53:22 GMT

Hi Marvin,

No it is only for local FQDNs, the non local FQDNs are to be handled by the ISP dns, which they negotiaote since they use PPPOE on the router to get to the internet.

Regards

Tony