03-08-2016 08:36 AM - edited 02-21-2020 05:45 AM
Good Morning,
I am having an issue getting a Cisco ASA 5505 out to the internet via domain. I recently changed over to another ISP and went in and changed the DNS, Gateway IP, and Outside Interface info thinking it would be simple like normal.
I left all of my NAT, ACLs, and Inside Interface info the same. DHCP is also handed out in this small office from the 5505.
I have ACL enabled to allow Domain out and can packet trace both TCP and UDP over domain to 8.8.8.8. However I cannot ping google.com. Internet Explorer and Chrome are both not resolving DNS names. Chrome gives me DNS DOMAIN LOOKUP ERROR NXDOMAIN and IE is just normal cannot connect. I also cannot ping google.com from the ASA. PCAPS analysis looks like everything on the ASA is functioning properly and going out to the internet.
I can ping any outside address by IP, but not by name. Here is the weird part. When I manually change a workstation to use DNS 8.8.8.8 we get out with no problem. If I add 8.8.8.8 into the firewall as my DNS I get the same errors above. I have flushed DNS, Cleared the containers, and disabled all AV protection software.
From my stance and other googleing that I have done all routing, nating, and ACLS should be setup completely. Reminder that this worked perfectly fine on our old internet connection.
Any help, idea, or content can be gotten if anyone has any help it would truly be appreciated.
03-09-2016 01:25 PM
In your DHCP scope what name server are you assigning the clients?
Hint - You cannot use the ASA as a DNS server, it can only act as a client.
03-10-2016 04:48 AM
Within my DHCP Scope I currently have the 2 DNS Servers that my new ISP game me.
I can post a copy of the config if interested?
Thanks, Matt
03-10-2016 04:36 PM
That sounds curious.
Please post a copy of the config (as an attachment) and I'll have a look at it.
03-11-2016 05:19 AM
03-11-2016 03:11 PM
That does look quite straightforward and correct as far as I can tell.
Just to test, I tried those DNS entries myself. I was also unable to resolve any addresses using either one. The hosts do appear to be listening on udp/53.
So I did a packet capture. When all else fails look at the raw data. Interestingly I see replies coming back from those servers with the "reply code: refused". Open the image below in a new window to see the detail.
This almost always indicates misconfiguration of the DNS servers - i.e a problem on your ISP's end. I'd just use Google public DNS until they can get their act together. :).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide