topic External DNS query issues in Network Security

External DNS query issues

sherwin79 — Mon, 11 Mar 2019 20:53:15 GMT

Hi all,

Apologies if I'm in the wrong area but this if my first post.

I'm currently having issues where external DNS is going through to our secondary DNS server in our Production environment but not being returned to the client. Below is how our network was configured by another staff member and all I'm trying to do is enable the DNS queries from an external source.

(ISP Modem)--------(Cisco ASA 5520)--------(Cisco 2921)--------------(DNS Server)

On the ASA I have enable the following rules.

access-list OUTSIDE_access_in extended permit tcp any x.x.x.x 255.255.255.240 eq https

access-list OUTSIDE_access_in extended permit tcp any x.x.x.x 255.255.255.240 eq smtp

access-list OUTSIDE_access_in extended permit gre host x.x.x.x x.x.x.x 255.255.255.240

access-list OUTSIDE_access_in extended permit udp any host x.x.x.x eq domain

access-list OUTSIDE_access_in extended permit tcp any host x.x.x.x eq domain

access-list INSIDE_access_in extended permit udp host x.x.x.x eq domain any

access-list INSIDE_access_in extended permit tcp host x.x.x.x eq domain any

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq www

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq smtp

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq https

access-list INSIDE_access_in extended permit udp x.x.x.x 255.255.255.240 any eq domain

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq domain

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq pptp

access-list INSIDE_access_in extended permit gre x.x.x.x 255.255.255.240 any

And the router:

ip nat inside source static tcp 10.0.2.201 25 x.x.x.x 25 extendable
ip nat inside source static tcp 10.0.2.16 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.201 25 x.x.x.x 25 extendable
ip nat inside source static tcp 10.0.2.201 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.17 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.20 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.4 53 x.x.x.x 53 extendable
ip nat inside source static udp 10.0.2.4 53 x.x.x.x 53 extendable
ip nat inside source static tcp 10.0.2.100 443 x.x.x.168 443 extendable

So I've enable the rule on the ASA to permit dns from any sources to our published external ip address of the dns server. I've also configure a static nat on the router. Looking at the ASA monitoring tool I can see the ASA builds and then quickly tears down the connection. I can telnet all the way through to the server however when I attemp to perform a nslookup using the external ip address of the dns server it times out and fails.

Not sure where I'm going wrong but any help would be appreciated, thanks in advance.

Regards

Sherwin79

External DNS query issues

Anu M Chacko — Thu, 30 Jun 2011 08:27:43 GMT

Hi Sherwin,

Do you have inspect dns enabled on the ASA? Could you post the output of "sh service-policy" and "sh run policy-map here"? Also, please post the syslogs from the ASA.

Regards,

Anu

External DNS query issues

sherwin79 — Fri, 01 Jul 2011 01:58:19 GMT

Hi Anu,

Thanks for your reply.

We currently dont have syslogs setup at the moment. This environment is fairly new and hasn't really been implemented as well as one would hope. But here is the service policy and policy mappings.

Result of the command: "sh service-policy"

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 985870, drop 27855, reset-drop 0
      Inspect: ftp, packet 356, drop 0, reset-drop 0
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
      Inspect: esmtp, packet 16421670, drop 0, reset-drop 197
      Inspect: sqlnet, packet 21, drop 0, reset-drop 0
      Inspect: skinny, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip, packet 146, drop 0, reset-drop 0
      Inspect: netbios, packet 2729, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0


Result of the command: "sh run policy-map"

policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

Thanks again

Regards

Sherwin

External DNS query issues

Anu M Chacko — Fri, 01 Jul 2011 07:41:01 GMT

Hi,

Could you disable inspect dns and test?

policy-map global_policy

class inspection_default

no inspect dns maximum-length 512

Let me know.

Regards,

Anu