topic ASA5505 DNS issues in Network Security

ASA5505 DNS issues

chriswarren972 — Tue, 12 Mar 2019 01:48:07 GMT

Hi Team,

I'm kind of stuck here and I'm not sure what I'm supposed to do now. My company wants to switch from copper to fiber internet access. Not a problem, I went through my ASDM and changed all the IP addresses from the old access to the new ones starting in Device Setup | Interfaces | Outside and put the IP address in there, then I went to Routing | Static Routes | Gateway IP and changed that. Everything went haywire. I was told I was getting internet access but was getting DNS errors and I'm not sure why. I double checked and the ISP DNS Servers didn't change. I changed out the Gateway, and my useable IP's just like I did when my company made the first switch the week I got here in March. can anyone help me figure this out?

ASA5505 DNS issues

Jouni Forss — Thu, 23 May 2013 14:26:26 GMT

Hi,

Do you mean the ASA is giving you some errors regarding DNS? Can you share the error messages with us?

If you want us to check the ASA configuraiton I would prefer to see them in the CLI format as I dont use ASDM. Then again it would be a pain to even try to copy/paste here all the different ASDM configuration pages

- Jouni

ASA5505 DNS issues

chriswarren972 — Thu, 23 May 2013 14:55:19 GMT

How would I give you the CLI version as I only use the ASDM?

ASA5505 DNS issues

Eddy Duran — Thu, 23 May 2013 15:13:57 GMT

Chris,

On ASDM, you can follow this path: Tools > Command Line Interface.

It should bring up this window:

Type show run under command and click send. The output of this command is the running configuration. You can copy the output and paste it here.

If possible, please take the show service-policy output as well.

Re: ASA5505 DNS issues

chriswarren972 — Thu, 23 May 2013 16:20:02 GMT

Eddy,

Here's what it says for the show run command:

Result of the command: "show run"

: Saved

ASA Version 8.2(1)

hostname FiveStarASA

enable password LcVWj.mnNFwiBnaT encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.252.0

interface Vlan2

nameif outside

security-level 0

ip address 50.84.214.74 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

same-security-traffic permit intra-interface

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any host 50.84.214.74 eq 3389

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp

access-list acl_outside extended permit ip any host 50.84.214.75

access-list acl_outside extended permit ip any host 50.84.214.76

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp-data

access-list acl_outside extended permit tcp any host 50.84.214.76 eq ftp-data

access-list nonat extended permit ip 192.168.0.0 255.255.252.0 10.75.75.0 255.255.255.0

access-list splittunnel standard permit 192.168.0.0 255.255.252.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.75.75.1-10.75.75.254

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.11 3389 netmask 255.255.255.255

static (inside,outside) 64.244.22.146 192.168.1.201 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.147 192.168.1.202 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.75 192.168.1.203 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.149 192.168.1.204 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.76 192.168.1.205 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.151 192.168.1.206 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.152 192.168.1.207 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.153 192.168.1.208 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.154 192.168.1.209 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.155 192.168.1.210 netmask 255.255.255.255 dns

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 50.84.214.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor smartfilter host 69.26.160.9 port 4005 timeout 30 protocol TCP connections 5

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 192.168.0.0 255.255.252.0 64.244.22.144 255.255.255.240 proxy-block

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strongest esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set strongest

crypto map activemap 65535 ipsec-isakmp dynamic dynmap

crypto map activemap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 63.149.142.32 255.255.255.224 outside

ssh 70.42.3.0 255.255.255.0 outside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

url-block url-mempool 2

url-block url-size 2

url-block block 10

webvpn

group-policy ClientGroup internal

group-policy ClientGroup attributes

dns-server value 4.2.2.1 4.2.2.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

username admin password rwgfG5L5VZ6zHtCh encrypted

username synchadmin password .GsHHIUoDv8rcdPN encrypted

tunnel-group RemoteAdmin type remote-access

tunnel-group RemoteAdmin general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group RemoteAdmin ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group Remote ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect pptp

service-policy global_policy global

prompt hostname context

Cryptochecksum:7827720577eab30f70efc6e68bf1f419

: end

Here's the Output as well: