topic Within my DHCP Scope I in Network Security

ASA 5505 DNS

mattmartin0607 — Fri, 21 Feb 2020 13:45:32 GMT

Good Morning,

I am having an issue getting a Cisco ASA 5505 out to the internet via domain. I recently changed over to another ISP and went in and changed the DNS, Gateway IP, and Outside Interface info thinking it would be simple like normal.

I left all of my NAT, ACLs, and Inside Interface info the same. DHCP is also handed out in this small office from the 5505.

I have ACL enabled to allow Domain out and can packet trace both TCP and UDP over domain to 8.8.8.8. However I cannot ping google.com. Internet Explorer and Chrome are both not resolving DNS names. Chrome gives me DNS DOMAIN LOOKUP ERROR NXDOMAIN and IE is just normal cannot connect. I also cannot ping google.com from the ASA. PCAPS analysis looks like everything on the ASA is functioning properly and going out to the internet.

I can ping any outside address by IP, but not by name. Here is the weird part. When I manually change a workstation to use DNS 8.8.8.8 we get out with no problem. If I add 8.8.8.8 into the firewall as my DNS I get the same errors above. I have flushed DNS, Cleared the containers, and disabled all AV protection software.

From my stance and other googleing that I have done all routing, nating, and ACLS should be setup completely. Reminder that this worked perfectly fine on our old internet connection.

Any help, idea, or content can be gotten if anyone has any help it would truly be appreciated.

In your DHCP scope what name

Marvin Rhoads — Wed, 09 Mar 2016 21:25:42 GMT

In your DHCP scope what name server are you assigning the clients?

Hint - You cannot use the ASA as a DNS server, it can only act as a client.

Within my DHCP Scope I

mattmartin0607 — Thu, 10 Mar 2016 12:48:04 GMT

Within my DHCP Scope I currently have the 2 DNS Servers that my new ISP game me.

I can post a copy of the config if interested?

Thanks, Matt

That sounds curious.

Marvin Rhoads — Fri, 11 Mar 2016 00:36:27 GMT

That sounds curious.

Please post a copy of the config (as an attachment) and I'll have a look at it.

The file is attached.

mattmartin0607 — Fri, 11 Mar 2016 13:19:33 GMT

The file is attached.

That does look quite

Marvin Rhoads — Fri, 11 Mar 2016 23:11:43 GMT

That does look quite straightforward and correct as far as I can tell.

Just to test, I tried those DNS entries myself. I was also unable to resolve any addresses using either one. The hosts do appear to be listening on udp/53.

So I did a packet capture. When all else fails look at the raw data. Interestingly I see replies coming back from those servers with the "reply code: refused". Open the image below in a new window to see the detail.

This almost always indicates misconfiguration of the DNS servers - i.e a problem on your ISP's end. I'd just use Google public DNS until they can get their act together. :).