https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601877#M590337 <HTML><HEAD></HEAD><BODY><P>Thanks Manish, this worked!</P><P></P><P>Cheers,<BR />Chirag</P></BODY></HTML> Sat, 05 Mar 2011 02:00:21 GMT csaxena 2011-03-05T02:00:21Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601868#M590324 <P>Hi all,</P><P></P><P>I would like to enable dns on my cisco asa firewall on asa versions 5.x/6.x So that i can do ping test to public hostname eg ping <A href="http://www.yahoo.com" target="_blank">www.yahoo.com</A></P><P>I have enabled dns lookup on inside interface and added a dns server which is connected to the inside network where the asa inside interface is connected. However when i do a "ping <A href="http://www.yahoo.com" target="_blank">www.yahoo.com</A>" from asdm i got "error %invalid input". Pls advise Thks in advance.</P> Mon, 11 Mar 2019 20:00:33 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601868#M590324 donnie 2019-03-11T20:00:33Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601869#M590325 <HTML><HEAD></HEAD><BODY><P>Hello Don ,</P><P></P><P>DNS configured on ASA can not be utilized for resolution of yahoo.com or any url on ASA CLI. If you wish ping <A href="https://community.cisco.com/www.yahoo.com" target="_blank">www.yahoo.com</A> from ASA, you can use the name command to map url to public IP.</P><P></P><P>I am sure that is not the requirement and you wish to do this as a connectivity test. I suggest to ping public DNS servers like 4.2.2.2 or 8.8.8.8.</P><P></P><P>Hope this helps. Please reply back if you need any further assistance.</P><P></P><P></P><P>Regards,<BR />Chirag<BR /><SPAN style="font-size: 8pt;">P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.</SPAN></P><P><SPAN style="font-size: 8pt;"><BR /></SPAN></P></BODY></HTML> Fri, 04 Mar 2011 01:59:39 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601869#M590325 csaxena 2011-03-04T01:59:39Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601870#M590326 <HTML><HEAD></HEAD><BODY><P>Here is a document that could help you understand DNS doctoring:</P><P></P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml&nbsp;&nbsp;&nbsp;&nbsp; </A></P></BODY></HTML> Fri, 04 Mar 2011 02:06:01 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601870#M590326 PAUL GILBERT ARIAS 2011-03-04T02:06:01Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601871#M590327 <HTML><HEAD></HEAD><BODY><P>Hello Paul,</P><P></P><P>I guess Don i slooking for DNS resoultion on ASA CLI &amp; ASDM. He wishes to resolve url in pings from ASA CLI/ASDM.</P><P></P><P>Regards,<BR />Chirag</P></BODY></HTML> Fri, 04 Mar 2011 02:19:19 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601871#M590327 csaxena 2011-03-04T02:19:19Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601872#M590328 <HTML><HEAD></HEAD><BODY><P>Hi Don,</P><P></P><P>I do think that it is possible to configure the ASA to resolve FQDN to ip address , can't find any documentation but you can use following commands :-</P><P></P><P>The following example thinks that you are using 4.2.2.2 as DNS server :-</P><P></P><P>asa(config)#dns domain-lookup outside</P><P>asa(config)#dns name-server 4.2.2.2</P><P>you see a bunch of options like dns retries etc that you can use.</P><P></P><P>Manish</P></BODY></HTML> Fri, 04 Mar 2011 02:44:30 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601872#M590328 manish arora 2011-03-04T02:44:30Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601873#M590329 <HTML><HEAD></HEAD><BODY><P>Hello Manish,</P><P></P><P>Yes,&nbsp; even i think that is not possible. The example which you stated shall set 4.2.2.2 as the DNS server and all DNS resolution will be externally using this as the server.</P><P></P><P>Regards,</P><P>Chirag</P></BODY></HTML> Fri, 04 Mar 2011 04:18:02 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601873#M590329 csaxena 2011-03-04T04:18:02Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601874#M590330 <HTML><HEAD></HEAD><BODY><P>Hi Chirag,</P><P></P><P>The test i need to do is to resolve the ip address of the url link. Once in a while i need to allow my specific site users to have access to certain url and this url may have a different ip address depending on the geographical location that you resolve. Hence i would like to remote into the firewall, resolve from there and add the access rule accordingly. But since the firewall can't resolve names i need to remote into the one of the PCs/server sitting behind the firewall to do resolution to chk the public ip address for the specific url for that geographical location.</P><P></P><P>Hi Manish,</P><P></P><P>I already tried that before posting this question but it fail to work.</P><P>I did a dns domain-lookup inside and a dns name-server 192.168.22.1 which is my inside dns server but fail to work</P></BODY></HTML> Fri, 04 Mar 2011 05:48:07 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601874#M590330 donnie 2011-03-04T05:48:07Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601875#M590332 <HTML><HEAD></HEAD><BODY><P>Hello Don,</P><P></P><P>Oh, ok. In that case, this not possible on ASA. You can consider doing a nslookup from a PC in that location for that url and add rules for that particular IP.</P><P></P><P>Please mark the post answered for future use of others.</P><P></P><P> Regards,<BR />Chirag</P><P><SPAN style="font-size: 8pt;">P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.</SPAN></P><P><SPAN style="font-size: 8pt;"><BR /></SPAN></P></BODY></HTML> Fri, 04 Mar 2011 06:06:10 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601875#M590332 csaxena 2011-03-04T06:06:10Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601876#M590336 <HTML><HEAD></HEAD><BODY><P>Hi Don,</P><P>I did the same config and was able to resolve domain name , there might be rules configured on your inside interface that is stopping for dns server to reply back to the firewall. here's what I did &amp; I have inside interface access to any any :-</P><P></P><P>av-fw01(config)# dns domain-lookup inside</P><P></P><P>av-fw01(config)# dns name-server 10.9.106.11</P><P></P><P>av-fw01(config)# ping yahoo.com<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 98.137.149.56, timeout is 2 seconds:<BR />!!!!!</P><P></P><P>av-fw01(config)# ping av-netdev01<BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 10.9.106.100, timeout is 2 seconds:<BR />!!!!!</P><P></P><P>you should try setting up captures &amp; try some packet-tracer commands and see why the replies are not reaching your firewall.</P><P></P><P>Manish</P></BODY></HTML> Fri, 04 Mar 2011 17:57:28 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601876#M590336 manish arora 2011-03-04T17:57:28Z https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601877#M590337 <HTML><HEAD></HEAD><BODY><P>Thanks Manish, this worked!</P><P></P><P>Cheers,<BR />Chirag</P></BODY></HTML> Sat, 05 Mar 2011 02:00:21 GMT https://community.cisco.com/t5/network-security/enable-dns-on-cisco-asa-firewall/m-p/1601877#M590337 csaxena 2011-03-05T02:00:21Z