Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
5
Replies

DNS internal ASA5500

Go to solution
MaDe
Level 1
Level 1

‎02-05-2013 05:55 AM - edited ‎03-11-2019 05:56 PM

Good day all,

short question....
I setup a new ASA for our branch office everything is working fine. But I have a little problem with the ASA.
I try to configure that my ASA in the branch office can resolve internal host to IP. Problem is that our internal DNS servers located in a different location and DNS is working over a VPN. This is working for the branch office client but not for the ASA.

Have somone an Idea or is it by design....?

Thanks Markus

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-05-2013 09:24 PM

The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.

To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.

You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MaDe

‎02-06-2013 05:58 PM

Example:

if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:

branch ASA:

crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

remote ASA:

crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

the above is in addition to crypto ACL that you already have in place.

And on the remote ASA:

your NAT exempt will be the same as your crypto ACL

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-05-2013 09:24 PM

The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.

To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.

You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.

Hope that helps.

0 Helpful

Go to solution
MaDe
Level 1
Level 1
In response to Jennifer Halim

‎02-06-2013 06:56 AM

Hi Jennifer,

thanks for your response. So for beginners.... I have to create the crypto like this scheme

branch_asa crypto acl
src: 192.168.0.0 --- dst: 192.168.1.0

src: 1.1.1.1

remote_asa crypto acl

src: 192.168.1.0 --- dst: 192.168.0.0

src: 2.2.2.2

Thanks,

Markus

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MaDe

‎02-06-2013 05:58 PM

Example:

if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:

branch ASA:

crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

remote ASA:

crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

the above is in addition to crypto ACL that you already have in place.

And on the remote ASA:

your NAT exempt will be the same as your crypto ACL

0 Helpful

Go to solution
MaDe
Level 1
Level 1
In response to Jennifer Halim

‎02-07-2013 02:48 AM

Hi,

perfect. That is working.

Thanks Markus

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MaDe

‎02-07-2013 03:59 AM

Excellent, thanks for the update.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card