https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154510#M357097 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>perfect. That is working. </P><P></P><P>Thanks Markus</P></BODY></HTML> Thu, 07 Feb 2013 10:48:56 GMT MaDe 2013-02-07T10:48:56Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154506#M357093 <P>Good day all,</P><P></P><P>short question....<BR />I setup a new ASA for our branch office everything is working fine. But I have a little problem with the ASA.<BR />I try to configure that my ASA in the branch office can resolve internal host to IP. Problem is that our internal DNS servers located in a different location and DNS is working over a VPN. This is working for the branch office client but not for the ASA.</P><P>Have somone an Idea or is it by design....?</P><P></P><P>Thanks Markus</P> Tue, 12 Mar 2019 00:56:26 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154506#M357093 MaDe 2019-03-12T00:56:26Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154507#M357094 <HTML><HEAD></HEAD><BODY><P>The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.</P><P></P><P>To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.</P><P>You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.</P><P></P><P>Hope that helps.</P></BODY></HTML> Wed, 06 Feb 2013 05:24:53 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154507#M357094 Jennifer Halim 2013-02-06T05:24:53Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154508#M357095 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>thanks for your response. So for beginners.... I have to create the crypto like this scheme</P><P></P><P>branch_asa crypto acl <BR />src: 192.168.0.0 --- dst: 192.168.1.0</P><P>src: 1.1.1.1</P><P></P><P>remote_asa crypto acl </P><P>src: 192.168.1.0 --- dst: 192.168.0.0</P><P>src: 2.2.2.2</P><P></P><P>Thanks,</P><P>Markus</P></BODY></HTML> Wed, 06 Feb 2013 14:56:00 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154508#M357095 MaDe 2013-02-06T14:56:00Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154509#M357096 <HTML><HEAD></HEAD><BODY><P>Example:</P><P>if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:</P><P></P><P>branch ASA:</P><P>crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0</P><P></P><P>remote ASA:</P><P>crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1</P><P></P><P>the above is in addition to crypto ACL that you already have in place.</P><P></P><P>And on the remote ASA:</P><P>your NAT exempt will be the same as your crypto ACL</P></BODY></HTML> Thu, 07 Feb 2013 01:58:02 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154509#M357096 Jennifer Halim 2013-02-07T01:58:02Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154510#M357097 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>perfect. That is working. </P><P></P><P>Thanks Markus</P></BODY></HTML> Thu, 07 Feb 2013 10:48:56 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154510#M357097 MaDe 2013-02-07T10:48:56Z https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154511#M357098 <HTML><HEAD></HEAD><BODY><P>Excellent, thanks for the update.</P></BODY></HTML> Thu, 07 Feb 2013 11:59:43 GMT https://community.cisco.com/t5/network-security/dns-internal-asa5500/m-p/2154511#M357098 Jennifer Halim 2013-02-07T11:59:43Z