05-24-2018 03:19 PM - edited 02-21-2020 07:48 AM
Suppose you have an ASA with multiple connections to the Internet, and that some of your hosts on your inside networks will typically use one Internet connection, while other hosts will typically use the second connection. In such a scenario, is there a way to configure the ASA to always query both ISP1 and ISP2's DNS servers to resolve FQDN's in the ACL's on the ASA? It seems to me like the ASA will only try to use a single DNS server to resolve FQDN's; if the query succeeds, it doesn't query any additional name servers. However, if a host on one of my internal networks receives a different IP address for a DNS query than the ASA received, then the ACL won't match the outgoing packet, and the ASA will reject the traffic.
For example, suppose I have the following (partial) config on my ASA:
object network INSIDE1-SUBNET
subnet 10.0.1.0 255.255.255.0
object network FOOBAR
fqdn foo.bar.com
...
access-list INSIDE1-IN extended permit tcp object INSIDE1-SUBNET object FOOBAR eq 80
access-list INSIDE1-IN extended deny ip any any
If a host on my INSIDE1-SUBNET queries ISP1's DNS server for host foo.bar.com and gets 172.16.10.80 for the IP address, but the ASA is using ISP2's DNS server and gets 172.17.10.80 for the IP address (which can happen with DNS round robin, cached services, etc.), then my ACL will deny the traffic, since 172.16.10.80 != 172.17.10.80.
There are a number of reasons why I can't simply have all of the hosts use the same DNS servers as the ASA, which I have omitted for the sake of brevity. Assuming that I cannot break this constraint (it's a management decision well above my pay grade), how can I resolve this problem?
Solved! Go to Solution.
05-25-2018 12:38 AM
As far as I know the asa will query one dns server and if no answer move to the next one, so there is no simple solution to make fqdn work for dns servers responding with one IP at a time.
Solutions to this issue would be:
- have a single dns server answer the asa and clients
- use url filtering
HTH
Bogdan
05-25-2018 12:38 AM
As far as I know the asa will query one dns server and if no answer move to the next one, so there is no simple solution to make fqdn work for dns servers responding with one IP at a time.
Solutions to this issue would be:
- have a single dns server answer the asa and clients
- use url filtering
HTH
Bogdan
05-25-2018 09:31 AM
05-25-2018 02:56 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide