cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3316
Views
0
Helpful
9
Replies

ASA DNS Modification is not working on 8.4(3)

rd9978
Level 1
Level 1

Hi,

I have a server (172.16.10.1) inside the LAN and IP of the server has been maped to public IP 41.219.130.10.

Topology

                                                                             Server(172.16.10.1)

DNS Server (8.8.8.8)  ----- Outside  ASA  Inside  ----------- |

                                                                              User (192.168.1.x)

Users are using Public DNS Server to resolve the domain. In this case, users will resolve the server domain to public IP address 41.219.130.10 instead of 172.16.10.1 that cause the server is unreachable for the users by default.

So I enable DNS modification feature on ASA. DNS keyword has been add to static NAT clause. ASA suppose to modify the DNS record to change the public IP to private IP address. But it is not working.

Please help me to check if my command is right or completed. Thank you very much.

access-list inside_acl extended permit udp any host 8.8.8.8 eq 53

access-list outside_acl extended permit tcp any host 41.219.130.10

access-group inside_acl in interface inside

access-group inside_acl in interface outside

object network CARE-SERVER

host 172.16.10.1

nat (inside,outside) static 41.219.130.10 dns

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect http allow-url-policy

  inspect dns

service-policy global_policy global

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

The access-list should be pointing towards the real address instead of the mapped address as follows:

access-list outside_acl extended permit tcp any host 172.16.10.1

Thanks. Jennifer.

access-list outside_acl extended permit tcp any host 172.16.10.1

Yes. I have added this clause. But it is still not working. Seem like ASA does not inpsect DNS.

PNNDC-ASA5520# show service-policy inspect dns

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns _default_dns_map, packet 0, drop 0, reset-drop 0

        dns-guard, count 0

        protocol-enforcement, drop 0

        nat-rewrite, count 0

I don't why there is no DNS packet inspected. But DNS inpsection has been enable at Global.

Have you also flush the DNS entries within your PC cache?

Yes. I have tried at 3 PC and routers also.

But ASA didn't inpsect any DNS packet.

And it definitely uses the public DNS server? and the DNS request is actually going through the ASA not other gateway?

Did you try NSLOOKUP or you try to browse to the URL?

I was trying to use public DNS server at the test PCs and routers and all the Internet traffic including DNS only pass through ASA.

I have used nslookup and browse the URL on the PCs.

Also I have used internal routers to test.clear host * and ping domain. It still resolves to public IP address.

I tried to use IOS 8.0 before and there was no issue with this feature. After I upgraded IOS to 8.4(3), this feature did not work and DNS inspection also did not work.

Can you please share your whole configuration.

rd9978
Level 1
Level 1

I have upgraded ASA platform and use IOS 8.4(4)1. There is no problem now.

Thanks.

Thanks for the update. It might be a bug with the previous version that you run.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: