Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6123
Views
0
Helpful
6
Replies

ASA 5505 Internet and DNS issue

Go to solution
Sheik Mohamed
Beginner
Beginner

‎02-11-2013 11:26 PM - edited ‎03-11-2019 05:59 PM

Sorry to this...................................................................................

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
Mentor
Mentor
In response to Jouni Forss

‎02-12-2013 12:57 AM

Ok,

So just to confirm, is there a DNS problem at the moment?

I'd suspec the ASA wont reply to your DNS querys if you set it as the DNS server for Clients.

To my understanding using public DNS servers should work for you. If I understood correctly you can also use the router in front of the ASA as a DNS server and it works with that?

Naturally when you add your own server to the LAN network you can start using it for DNS to the LAN hosts.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
Mentor
Mentor
In response to Sheik Mohamed

‎02-12-2013 01:34 AM

Hi,

Its also possible to use the ASA as the DHCP server for you LAN clients if you want

The configuration format for that could for example be

dhcpd dns 10.0.0.138 81.22.16.24

!

dhcpd address 192.168.4.100-192.168.4.110 inside

dhcpd enable inside

At this point you should either

  • Use the DHCP configuration above on the ASA to automatically give the LAN hosts the IP and DNS information
  • OR Staticly configure the LAN hosts network settings with the IP and DNS information

You should NOT configure the ASA interface IP address 192.168.4.60 as the DNS server for anything.

Regards the ACLs I can't really say. There seems to be some that point towards AnyConnect VPN configurations. Others point to a Clientless WebVPN configuration. And theres also a NAT0 ACL it seems.

Your current (above) configurations should be enough for basic Internet connectivity to my understanding. You will only need the ACL on the "outside" interface of ASA if you are trying to connect to some LAN host directly from Internet. As I dont know your Internet/ASDL router configuration, I can't really say if you need any additional configurations on the ASA.

But if your original problem was regards to the DNS, I think all the above should help with that issue.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
Mentor
Mentor

‎02-11-2013 11:55 PM

Hi,

I would suggest not using the ASA interface IP address as the hosts DNS server. Simply use either your ISPs DNS servers directly or some other public DNS servers.

You also have an ACL on the outside interface that permits all traffic. You should not use such ACL on the outside interface. Though in your case the ASA doesnt seem to be the device at the border of your network where anyone could reach it. But still not a ACL I would configure on the "outside" interface.

It also seems you have 2 devices doing NAT in your network. Both the ASA and your actual ADSL Modem/Router is doing NAT (as the network between the ASA and ADSL Modem/Router is a private network)

If possible you could even configure the ASDL modem/router as bridged and configure the ASA to either get the public IP address from ISP with DHCP or if you got a static public IP address then configure it on the ASA.

You dont necesarily need to change the ASDL modem/router to bridged. That is just a suggestion if you want to simplify the network setup with regards to the ASA.

- Jouni

0 Helpful

Go to solution
Jouni Forss
Mentor
Mentor
In response to Jouni Forss

‎02-12-2013 12:57 AM

Ok,

So just to confirm, is there a DNS problem at the moment?

I'd suspec the ASA wont reply to your DNS querys if you set it as the DNS server for Clients.

To my understanding using public DNS servers should work for you. If I understood correctly you can also use the router in front of the ASA as a DNS server and it works with that?

Naturally when you add your own server to the LAN network you can start using it for DNS to the LAN hosts.

- Jouni

0 Helpful

Go to solution
Sheik Mohamed
Beginner
Beginner
In response to Jouni Forss

‎02-12-2013 01:11 AM

at moment no connection between in to AD/DHCP?DNS server.i directly  connected to ASA etherent0/1 in to my pc.there is no dhcp server so i can  put my pc manual ip and dns address field .


see if i put my pc lan ip 192.168.4.33/24 gateway is 192.168.4.60 but dns field i put 192.168.4.60 not working internet when i add to this ip 10.0.0.138 it is working internet.

in this situation i want to add all pc's in 10.0.0.138 or public dns server ?? if my AD/DNS/DHCP server will work i dont want bother about this am i right????

or else i can add public dns address in to the ASA???

in the scanerio if my asa configuration any faults or misconfiguraion occured ???if any commands required in to the  ASA??

Best regards

Sheik Mohamed


0 Helpful

Go to solution
Sheik Mohamed
Beginner
Beginner
In response to Sheik Mohamed

‎02-12-2013 01:15 AM

In below these ACL lists which is one i want to add for security purpose ..

pls mention required ACL and Not required ACL list;Pls let me know..

access-list out2in extended permit tcp any host 10.0.0.10 eq 3389

access-list out2in extended permit tcp any any

access-list out2in extended permit ip any any

access-list NONAT extended permit ip 172.16.20.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list anycon standard permit 192.168.4.0 255.255.255.0

access-list CLS webtype permit url cifs://192.168.4.3 log default

access-list CLS webtype permit url rdp://192.168.4.3 log default

access-list CLS webtype permit url vnc://192.168.4.3 log default

0 Helpful

Go to solution
Jouni Forss
Mentor
Mentor
In response to Sheik Mohamed

‎02-12-2013 01:34 AM

Hi,

Its also possible to use the ASA as the DHCP server for you LAN clients if you want

The configuration format for that could for example be

dhcpd dns 10.0.0.138 81.22.16.24

!

dhcpd address 192.168.4.100-192.168.4.110 inside

dhcpd enable inside

At this point you should either

  • Use the DHCP configuration above on the ASA to automatically give the LAN hosts the IP and DNS information
  • OR Staticly configure the LAN hosts network settings with the IP and DNS information

You should NOT configure the ASA interface IP address 192.168.4.60 as the DNS server for anything.

Regards the ACLs I can't really say. There seems to be some that point towards AnyConnect VPN configurations. Others point to a Clientless WebVPN configuration. And theres also a NAT0 ACL it seems.

Your current (above) configurations should be enough for basic Internet connectivity to my understanding. You will only need the ACL on the "outside" interface of ASA if you are trying to connect to some LAN host directly from Internet. As I dont know your Internet/ASDL router configuration, I can't really say if you need any additional configurations on the ASA.

But if your original problem was regards to the DNS, I think all the above should help with that issue.

- Jouni

0 Helpful

Go to solution
Sheik Mohamed
Beginner
Beginner
In response to Jouni Forss

‎02-12-2013 01:37 AM

thanks  jouni....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents