DNS does not resolve inside DMZ

regibbons — Mon, 11 Mar 2019 23:07:19 GMT

I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 8.8.8.8 and 4.2.2.2 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 8.8.8.8 and 4.2.2.2 in ipconfig. I can ping/tracert 8.8.8.8/4.2.2.2/74.125.137.147(what www.google.com resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to www.google.com. I am pasting the sanitized config below, any help would be appreciated. If I left any pertinent information out, let me know and I will provide.

Thanks,

: Saved

ASA Version 8.4(3)

terminal width 128

hostname 5505_PoC

interface Ethernet0/0

switchport access vlan 200

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 150

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

ip address 10.2.20.4 255.255.255.0

interface Vlan150

nameif DMZ

security-level 50

ip address 10.2.150.1 255.255.255.0

interface Vlan200

nameif outside

security-level 0

ip address 10.2.220.4 255.255.255.0

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

domain-name hmcorp.local

same-security-traffic permit intra-interface

object network INSIDE-NET10

subnet 10.2.20.0 255.255.255.0

object network DMZ-NET150

subnet 10.2.150.0 255.255.255.0

access-list IPS extended permit ip any any

access-list OUTSIDE_IN extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

object network INSIDE-NET10

nat (inside,outside) dynamic interface

object network DMZ-NET150

nat (DMZ,outside) dynamic 10.2.220.150

access-group OUTSIDE_IN in interface outside

access-group OUTSIDE_IN in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.2.220.1 1

route inside 10.0.0.0 255.0.0.0 10.2.20.1 1

route inside 172.16.0.0 255.240.0.0 10.2.20.1 1

route inside 192.168.0.0 255.255.0.0 10.2.20.1 1

dhcpd address 10.2.150.10-10.2.150.100 DMZ

dhcpd dns 8.8.8.8 4.2.2.2 interface DMZ

dhcpd enable DMZ

: end :

5505_PoC# sh int | i protocol

Interface Ethernet0/0 "", is up, line protocol is up

Interface Ethernet0/1 "", is up, line protocol is up

Interface Ethernet0/2 "", is up, line protocol is up

Interface Ethernet0/3 "", is down, line protocol is down

Interface Ethernet0/4 "", is down, line protocol is down

Interface Ethernet0/5 "", is down, line protocol is down

Interface Ethernet0/6 "", is down, line protocol is down

Interface Ethernet0/7 "", is down, line protocol is down

Interface Vlan1 "inside", is up, line protocol is up

Interface Vlan150 "DMZ", is up, line protocol is up

Interface Vlan200 "outside", is up, line protocol is up

DNS does not resolve inside DMZ

regibbons — Tue, 15 May 2012 15:01:59 GMT

got it figured out. I had one too many access-group statements

topic DNS does not resolve inside DMZ in Network Security

DNS does not resolve inside DMZ

DNS does not resolve inside DMZ