topic That looks to be DDNS updates in Network Security

Rule needed for DNS in Firewall

mweiner5641 — Tue, 12 Mar 2019 06:27:40 GMT

Hello all. I have a few VM's that aren't getting internet access and some of them are. Is there a rule that is needed in the firewall that allows internet connection for VM's?

What type of device (ISR, ASA

Anthony Brandelli — Wed, 19 Aug 2015 18:06:50 GMT

What type of device (ISR, ASA, etc) is this? Have you done a packet capture to see if DNS replies aren't coming in response to the queries? What makes you think the firewall is the issue, or DNS for that matter?

I am not sure. I have done

mweiner5641 — Wed, 19 Aug 2015 18:08:57 GMT

I am not sure. I have done this configuration for DNS and IP address many times and I never had issues. I have some VM's working with internet and some aren't. I have done some work in the firewall but I can't say why half of internet and half don't.

We are using an ASA.

I haven't done any packet capturing

Let's start with some basic

Anthony Brandelli — Wed, 19 Aug 2015 18:51:49 GMT

Let's start with some basic troubleshooting, if you know you block ICMP somewhere then this may not be accurate, but I would say this is rare in a proper network.

Can the VM ping it's own IP?
Can it ping it's gateway?
Can it ping the DNS servers?
Can it ping an internet destination, such as 8.8.8.8?
Can it ping google.com?

VM can Ping itselfVM can ping

mweiner5641 — Wed, 19 Aug 2015 18:55:45 GMT

VM can Ping itself

VM can ping gateway

VM cannot ping 8.8.8.8 / 8.8.4.4 and any other DNS servers

VM cannot ping google.com

Thank for following up Anthony.

Sounds like more problems

Anthony Brandelli — Wed, 19 Aug 2015 18:58:47 GMT

Sounds like more problems than just DNS not working.

Are all of these machines in the same subnet using the same gateway?

Correct. VM's are using 10

mweiner5641 — Wed, 19 Aug 2015 19:00:18 GMT

Correct. VM's are using 10.100.0.* internal on 255.255.255.0 subnet.

Check that you have a default

Anthony Brandelli — Wed, 19 Aug 2015 19:17:16 GMT

Check that you have a default route on the VMs to the gateway, "route print" on windows, "route -n" on linux. Probably unlikely but also make sure that VM firewalls aren't causing issues.

After looking at the above it's more than likely time to look at your ASA. Check your NAT config, check that there aren't ACLs outbound or inbound blocking traffic based on host.

I'm pretty light on ASA experience myself, but I'm sure there is config that defines what IPs are NATd, and I know there will be the ability to have ACLs in various places.

Ok well that gives me some

mweiner5641 — Wed, 19 Aug 2015 19:19:29 GMT

Ok well that gives me some work to do.

Thank you!!

Anthony, would this happen to

mweiner5641 — Thu, 20 Aug 2015 13:55:40 GMT

Anthony, would this happen to be because the DNS LOOKUP is disabled on my interface?

No I don't think so. To me it

Anthony Brandelli — Thu, 20 Aug 2015 14:39:32 GMT

No I don't think so. To me it looks like internet destinations in general are unreachable.

Try doing a trace route from one of the VMs and see where it fails, I would suspect at the default gateway, again this generally relies on ICMP (or UDP for Linux).

3Aug 20 201512:10:55331001

mweiner5641 — Thu, 20 Aug 2015 16:11:52 GMT

Aug 20 2015

12:10:55

331001

Dynamic DNS Update for 'WIN-RLDT21C5G8V.' <=> 10.100.0.151 failed

Where is that rule in the firewall? Or how do I add it?

That looks to be DDNS updates

Anthony Brandelli — Thu, 20 Aug 2015 17:50:34 GMT

That looks to be DDNS updates for internal clients, I'm guessing the ASA is also your DHCP server?

Clients generally try and update their DNS entry if configured to do so, this is so you know xyx.hostname resolves to it's current IP address received from DHCP. While this is somewhat important, it's unlikely to be related to your current issue as mentioned in this thread.

To fix this issue you would have to do some debugging to find out why the dynamic update is failing on the ASA.