!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 194.1.X.1 194.1.Y.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.0.5-192.168.0.254 dmz
dhcpd dns 194.1.X.1 194.1.Y.1 interface dmz
dhcpd enable dmz

DHCP is already configured. But DHCP assign these DNS entries with IP lease to hosts.

What i think is that it should get DNS from firewall. Means for inside hosts Primary DNS should be 192.168.1.1

Hi; 

The DNS servers you should get assigned are the ones you configured (194.1.x.1 and 194.1.y.1). 

You say that when this is configured it does not work and you have to manually put those same servers on the hosts and then it works? 

Mike. 

Hi Maykol,

They work perfectly fine. As i have already stated in my Discussion that internet is working on both (inside, dmz) hosts. Means name resolving is working.

But what i want is that DNS in hosts should be the inside interface ip (192.168.1.1) for inside hosts and dmz interface ip (192.168.0.1) for dmz connected hosts. Similarly like hosts connected to ADSL or WAN routers. Same i have done with Cisco ASA 500 series firewall.

Hello; 

I think I understand it now. You want to be able to put the firewall IP as the DNS server and then the firewall to forward the request to the DNS server? Is this correct? 

If so, this is a proxy capability the firewall does not have, but there is NAT config that can be put in place so it can work.

Let me know. 

Mike. 

OK what nat configurations i need to do to achieve this.

Also i want to connect a web server to dmz as you can see in attached Network Diagram (network_diagram.jpg). Webserver will serve Public coming from internet. I want to port forward port 80 from ouside to dmz. (Means outside interface ip to be mapped to Webserver's local IP 192.168.0.100).

Waiting for your swift reply.

Hello; 

There is a downside for this configuration and it is that you can only use one of the DNS servers assigned. 

The configuration would be like this: 

dhcpd dns 192.168.1.1 interface inside

object network DNS_Server
host 194.1.X.1

nat (outside,inside) static interface service udp domain domain

dhcpd dns 192.168.0.1 interface dmz

object network DNS_Server1
host 194.1.X.1
nat (outside,dmz) static interface service udp domain domain

For access to web server
-----------------------------

object network WebServer
host 192.168.0.100
nat (dmz,outside) static interface service tcp 80 80

access-list ouside permit tcp any host 192.168.0.100 eq 80
access-group outside in interface outside

ACL NOTE*** If you already have an access list on the outside, change the above line where it says outside
with the name of the access-list you already have and do not use the second line.

If you have any questions, let me know. 

Mike. 

Hi Maykol,

Thanks for the help. I will try this.

But main issue is that how i can publicize my Webserver when i have only one ip from ISP. I want public and inside hosts to access Webserver for http and ftp.

I got one IP from ISP and it is assigned to outside interface. How i can map this IP to Webserver on different ports.

Hi; 

The lines in the previous post where it says "Access to Web server" that would allow you to access the server using the ASA interface IP (the port forward you were looking for) for outside users on port 80 (mirror the configuration for ftp 21). 

If you want to access the WebServer with the Public from the inside as well you can go ahead and to the following: 

object network WebServer1
host 192.168.0.100
nat (dmz,inside) static <ASA_outside_IP> service tcp 80 80

object network WebServer2
host 192.168.0.100
nat (dmz,inside) static <ASA_outside_IP> service tcp 21 21

That should do the trick. 

Mike