Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2890
Views
0
Helpful
12
Replies

ASA5505 DNS issues

chriswarren972
Community Member

‎05-23-2013 06:29 AM - edited ‎03-11-2019 06:48 PM

Hi Team,

I'm kind of stuck here and I'm not sure what I'm supposed to do now.  My company wants to switch from copper to fiber internet access.  Not a problem, I went through my ASDM and changed all the IP addresses from the old access to the new ones starting in Device Setup | Interfaces | Outside and put the IP address in there, then I went to Routing | Static Routes | Gateway IP and changed that.  Everything went haywire.  I was told I was getting internet access but was getting DNS errors and I'm not sure why.  I double checked and the ISP DNS Servers didn't change.  I changed out the Gateway, and my useable IP's just like I did when my company made the first switch the week I got here in March. can anyone help me figure this out?

Labels:
0 Helpful
12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

‎05-23-2013 07:26 AM

Hi,

Do you mean the ASA is giving you some errors regarding DNS? Can you share the error messages with us?

If you want us to check the ASA configuraiton I would prefer to see them in the CLI format as I dont use ASDM. Then again it would be a pain to even try to copy/paste here all the different ASDM configuration pages

- Jouni

0 Helpful

chriswarren972
Community Member
In response to Jouni Forss

‎05-23-2013 07:55 AM

How would I give you the CLI version as I only use the ASDM?

0 Helpful

Eddy Duran
Level 4
Level 4
In response to chriswarren972

‎05-23-2013 08:13 AM

Chris,

On ASDM, you can follow this path: Tools > Command Line Interface.

It should bring up this window:

Type show run under command and click send. The output of this command is the running configuration. You can copy the output and paste it here.

If possible, please take the show service-policy output as well.

0 Helpful

chriswarren972
Community Member
In response to Eddy Duran

‎05-23-2013 09:20 AM

Eddy,

Here's what it says for the show run command:

Result of the command: "show run"

: Saved

:

ASA Version 8.2(1)

!

hostname FiveStarASA

enable password LcVWj.mnNFwiBnaT encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.84.214.74 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit intra-interface

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any host 50.84.214.74 eq 3389

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp

access-list acl_outside extended permit ip any host 50.84.214.75

access-list acl_outside extended permit ip any host 50.84.214.76

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp-data

access-list acl_outside extended permit tcp any host 50.84.214.76 eq ftp-data

access-list nonat extended permit ip 192.168.0.0 255.255.252.0 10.75.75.0 255.255.255.0

access-list splittunnel standard permit 192.168.0.0 255.255.252.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.75.75.1-10.75.75.254

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.11 3389 netmask 255.255.255.255

static (inside,outside) 64.244.22.146 192.168.1.201 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.147 192.168.1.202 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.75 192.168.1.203 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.149 192.168.1.204 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.76 192.168.1.205 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.151 192.168.1.206 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.152 192.168.1.207 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.153 192.168.1.208 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.154 192.168.1.209 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.155 192.168.1.210 netmask 255.255.255.255 dns

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 50.84.214.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor smartfilter host 69.26.160.9 port 4005 timeout 30 protocol TCP connections 5

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 192.168.0.0 255.255.252.0 64.244.22.144 255.255.255.240 proxy-block

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strongest esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set strongest

crypto map activemap 65535 ipsec-isakmp dynamic dynmap

crypto map activemap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 63.149.142.32 255.255.255.224 outside

ssh 70.42.3.0 255.255.255.0 outside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

url-block url-mempool 2

url-block url-size 2

url-block block 10

webvpn

group-policy ClientGroup internal

group-policy ClientGroup attributes

dns-server value 4.2.2.1 4.2.2.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

username admin password rwgfG5L5VZ6zHtCh encrypted

username synchadmin password .GsHHIUoDv8rcdPN encrypted

tunnel-group RemoteAdmin type remote-access

tunnel-group RemoteAdmin general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group RemoteAdmin ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group Remote ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7827720577eab30f70efc6e68bf1f419

: end

Here's the Output as well:

Result of the command: "show run"

: Saved

:

ASA Version 8.2(1)

!

hostname FiveStarASA

enable password LcVWj.mnNFwiBnaT encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.84.214.74 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit intra-interface

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit tcp any host 50.84.214.74 eq 3389

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp

access-list acl_outside extended permit ip any host 50.84.214.75

access-list acl_outside extended permit ip any host 50.84.214.76

access-list acl_outside extended permit tcp any host 50.84.214.74 eq ftp-data

access-list acl_outside extended permit tcp any host 50.84.214.76 eq ftp-data

access-list nonat extended permit ip 192.168.0.0 255.255.252.0 10.75.75.0 255.255.255.0

access-list splittunnel standard permit 192.168.0.0 255.255.252.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.75.75.1-10.75.75.254

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.11 3389 netmask 255.255.255.255

static (inside,outside) 64.244.22.146 192.168.1.201 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.147 192.168.1.202 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.75 192.168.1.203 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.149 192.168.1.204 netmask 255.255.255.255 dns

static (inside,outside) 50.84.214.76 192.168.1.205 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.151 192.168.1.206 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.152 192.168.1.207 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.153 192.168.1.208 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.154 192.168.1.209 netmask 255.255.255.255 dns

static (inside,outside) 64.244.22.155 192.168.1.210 netmask 255.255.255.255 dns

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 50.84.214.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor smartfilter host 69.26.160.9 port 4005 timeout 30 protocol TCP connections 5

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 192.168.0.0 255.255.252.0 64.244.22.144 255.255.255.240 proxy-block

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set strongest esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set strongest

crypto map activemap 65535 ipsec-isakmp dynamic dynmap

crypto map activemap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 63.149.142.32 255.255.255.224 outside

ssh 70.42.3.0 255.255.255.0 outside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

url-block url-mempool 2

url-block url-size 2

url-block block 10

webvpn

group-policy ClientGroup internal

group-policy ClientGroup attributes

dns-server value 4.2.2.1 4.2.2.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

username admin password rwgfG5L5VZ6zHtCh encrypted

username synchadmin password .GsHHIUoDv8rcdPN encrypted

tunnel-group RemoteAdmin type remote-access

tunnel-group RemoteAdmin general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group RemoteAdmin ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group Remote type remote-access

tunnel-group Remote general-attributes

address-pool vpnpool

default-group-policy ClientGroup

tunnel-group Remote ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7827720577eab30f70efc6e68bf1f419

: end

Result of the command: "show service-policy output"

show service-policy output

                    ^

ERROR: % Invalid input detected at '^' marker.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to chriswarren972

‎05-23-2013 09:23 AM

Hi,

You dont seem to have DNS inspection enabled atleast

You can drop the commands through the ASDM through the same CLI interface

You will have to choose the "Multiple Line" checkbox

policy-map global_policy

  class inspection_default

   inspect dns

- Jouni

0 Helpful

chriswarren972
Community Member
In response to Jouni Forss

‎05-23-2013 09:37 AM

JouniForss,

Here's the result of what you asked me to put in.

Result of the command: "policy-map global_policy"

The command has been sent to the device

Result of the command: "class inspection_default"

The command has been sent to the device

Result of the command: "inspect dns"

The command has been sent to the device

0 Helpful

chriswarren972
Community Member

‎05-23-2013 09:33 AM

Eddy, I also have another question, because I'm seeing something from another issue we had a few weeks ago...

group-policy ClientGroup attributes

dns-server value 4.2.2.1 4.2.2.2 <

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to chriswarren972

‎05-23-2013 09:38 AM

Hi Chris,

Try navigating ASDM to

  • Configuration (top menu) 
  • Remote Access VPN (bottom left menu)
  • Network (Client) Access (dropdown menu on left) 
  • Group Policies 
  • Find the Group Policy named ClientGroup from the main view 
  • Press Edit
  • Go to the section "Servers" in the window

There you should see the DNS servers configured and you can change them to what you need

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-23-2013 09:40 AM

Regarding the output you posted after inserting the commands I suggest.

It seems to me that the ASDM correctly inserted the needed configurations to the ASA running configuration. The DNS Inspection would seem to be in use now.

Totally other matter is ofcourse did this help with your DNS problem. I hope it did.

- Jouni

0 Helpful

chriswarren972
Community Member
In response to Jouni Forss

‎05-23-2013 09:52 AM

Thank you JouniForss!!!  So far it's looking good.  At 1230 my time here in Dallas, I'm going to attempt the switch over again and I will let you know what happens then.  I've got my fingers crossed and I believe now it will work fine.  There was also an issue with my ISP's end as well.  When I called them they didn't have the same IP addresses on their end active as they gave me.  I think that was 99.99% of my problem after looking through the steps that you gave me and there not being any real glaring errors

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to chriswarren972

‎05-23-2013 09:59 AM

Hi,

The Basic steps you could take when confirming the connectivity  are the following

  • Make sure the IP address and mask configured on the WAN interface are correct
  • Make sure the WAN interface IS NOT in "shutdown" state
  • Attempt to PING the ISP gateway
    • If you have added some "icmp" commands to the ASA this might fail
  • Issue the command "show arp" right after the PING has been issue and confirm that you can see an IP/MAC pair of your ISP gateway
  • Confirm that your default route is pointing to the correct IP address which should be the one showing up with "show arp" command on the WAN/"outside" interface
  • Confirm that the ASA can ping some remote Internet public IP address
    • To my understanding the Google DNS servers 8.8.8.8 and 8.8.4.4 should reply to PING for example
    • The CLI command is "ping 8.8.8.8" for example
  • Confirm that you have NAT rules that enabled the LAN users to access Internet
  • Make sure no ACL is blocking any traffic from the LAN to outside

In a very basic, simple ASA configurations there shouldnt be that many things that could prevent normal Internet connectivity.

EDIT: Naturally some of the above things I stated will not be a problem in your case.

In some cases its also good to save the current configuration and reboot the device if needed.

- Jouni

0 Helpful

chriswarren972
Community Member
In response to Jouni Forss

‎05-23-2013 10:13 AM

And at this point it's very basic & very simple so I'm hoping it's an easy breasy thing

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card