cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
5
Replies

ASA 5505 DNS

mattmartin0607
Level 1
Level 1

Good Morning,

I am having an issue getting a Cisco ASA 5505 out to the internet via domain. I recently changed over to another ISP and went in and changed the DNS, Gateway  IP, and Outside Interface info thinking it would be simple like normal.

I left all of my NAT, ACLs, and Inside Interface info the same. DHCP is also handed out in this small office from the 5505.

I have ACL enabled to allow Domain out and can packet trace both TCP and UDP over domain to 8.8.8.8. However I cannot ping google.com. Internet Explorer and Chrome are both not resolving DNS names. Chrome gives me DNS DOMAIN LOOKUP ERROR NXDOMAIN and IE is just normal cannot connect. I also cannot ping google.com from the ASA. PCAPS analysis looks like everything on the ASA is functioning properly and going out to the internet.

I can ping any outside address by IP, but not by name. Here is the weird part. When I manually change a workstation to use DNS 8.8.8.8 we get out with no problem. If I add 8.8.8.8 into the firewall as my DNS I get the same errors above. I have flushed DNS, Cleared the containers, and disabled all AV protection software. 

From my stance and other googleing that I have done all routing, nating, and ACLS should be setup completely. Reminder that this worked perfectly fine on our old internet connection.

Any help, idea, or content can be gotten if anyone has any help it would truly be appreciated.

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

In your DHCP scope what name server are you assigning the clients?

Hint - You cannot use the ASA as a DNS server, it can only act as a client.

Within my DHCP Scope I currently have the 2 DNS Servers that my new ISP game me.

I can post a copy of the config if interested?

Thanks, Matt

That sounds curious.

Please post a copy of the config (as an attachment) and I'll have a look at it.

The file is attached.

That does look quite straightforward and correct as far as I can tell.

Just to test, I tried those DNS entries myself. I was also unable to resolve any addresses using either one. The hosts do appear to be listening on udp/53.

So I did a packet capture. When all else fails look at the raw data. Interestingly I see replies coming back from those servers with the "reply code: refused". Open the image below in a new window to see the detail.

This almost always indicates misconfiguration of the DNS servers - i.e  a problem on your ISP's end. I'd just use Google public DNS until they can get their act together. :).

Review Cisco Networking for a $25 gift card