https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249602#M765095 <HTML><HEAD></HEAD><BODY><P>One thing I noticed is your outgoing NAT-</P><P></P><P>nat (INSIDE) 2 192.168.1.100 255.255.255.255</P><P></P><P>This only allows 1 host to NAT, 192.168.1.100. Your DNS server should be added, so it can NAT.</P><P></P><P>nat (INSIDE) 2 192.168.1.222 255.255.255.255</P></BODY></HTML> Fri, 16 Oct 2009 20:16:22 GMT Collin Clark 2009-10-16T20:16:22Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249599#M765092 <P>Hi,</P><P></P><P>I have local DNS Server and needs to resolve internet address on behalf of local users.</P><P>what steps are needed on Firewall.</P><P></P><P>LAN users points to local DNS Server for name-resolving</P><P></P><P></P><P>On ASA I have static NAT for local DNS Server with Public IP and </P><P>on Inside ACL I allowed udp port 53, on Outside ACL also allowed udp port 53.</P><P></P><P>It doesnt seems to work, AM I missing some config still</P> Mon, 11 Mar 2019 16:27:02 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249599#M765092 Amin Shaikh 2019-03-11T16:27:02Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249600#M765093 <HTML><HEAD></HEAD><BODY><P>You don't need the static NAT (unless internet people contact this server for resolving your domain) and the outside ACL permitting UDP/53. Check your log when you do a DNS query and see if there is anything in there (post it if you like). Also x2 the ACL applied on the inside interface or post it if you have any doubts. Finally check the DNS inspection. The default is 512 which can be too small. Increase it to something like 1024. </P><P></P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 1024</P><P></P><P>Hope this helps.</P></BODY></HTML> Fri, 16 Oct 2009 19:42:09 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249600#M765093 Collin Clark 2009-10-16T19:42:09Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249601#M765094 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have attached the ASA config.</P><P>DNS ServerIP:192.168.1.222.</P><P>From ASA I am able to ping DNS SERVER</P><P>and vice-versa.</P><P></P><P>We dont want LANusers to access internet using this link, so we have ACL on INSIDE.</P><P></P><P>I do have SMTP traffic from inside to outside and vice-versa working OK.</P><P></P><P></P><P>What is the command to apply name-server on ASA, so i can test name-resolution on ASA.(only for troubleshooting)</P><P></P><P></P><P> </P><P></P></BODY></HTML> Fri, 16 Oct 2009 20:09:25 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249601#M765094 Amin Shaikh 2009-10-16T20:09:25Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249602#M765095 <HTML><HEAD></HEAD><BODY><P>One thing I noticed is your outgoing NAT-</P><P></P><P>nat (INSIDE) 2 192.168.1.100 255.255.255.255</P><P></P><P>This only allows 1 host to NAT, 192.168.1.100. Your DNS server should be added, so it can NAT.</P><P></P><P>nat (INSIDE) 2 192.168.1.222 255.255.255.255</P></BODY></HTML> Fri, 16 Oct 2009 20:16:22 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249602#M765095 Collin Clark 2009-10-16T20:16:22Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249603#M765096 <HTML><HEAD></HEAD><BODY><P>After addding it works. With NAT everthing is allowed from this host</P><P></P><P>How can I restrict this statement</P><P>nat (INSIDE) 2 192.168.1.222 255.255.255.255</P><P></P><P>for DNS query only and need to restrict with bandwidth for 256K.</P><P></P><P>Can this be done.</P><P></P><P></P></BODY></HTML> Sat, 17 Oct 2009 08:27:45 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249603#M765096 Amin Shaikh 2009-10-17T08:27:45Z https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249604#M765097 <HTML><HEAD></HEAD><BODY><P>I don't have a way to test, but I think this will work to restrict the NAT to just DNS.</P><P></P><P>access-list dns-nat extended permit udp host 192.168.1.222 any eq domain </P><P>nat (inside) 2 access-list dns-nat</P><P></P><P>Here's a link for configuring QoS on the ASA.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml</A></P></BODY></HTML> Mon, 19 Oct 2009 12:18:28 GMT https://community.cisco.com/t5/network-security/local-dns-cannot-resolve-internet-host/m-p/1249604#M765097 Collin Clark 2009-10-19T12:18:28Z