Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
82084
Views
0
Helpful
7
Replies

CISCO ASA Enable DNS Lookup Problem

Go to solution
tanveer2005
Beginner
Beginner

‎10-29-2011 03:03 AM - edited ‎03-11-2019 02:43 PM

I have Cisco ASA 5510 , from ASA CLI i can not resolved the hostname. ( cisco.com or google.com)

At many form say do this.

1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups.

CiscoASA#conf t
CiscoASA(config)# dns domain-lookup Outside


2. Then specify the external DNS Servers (Change IP addresses appropriately).
CiscoASA(config)# dns server-group DefaultDNS
CiscoASA(config-dns-server-group)# name-server 122.122.122.199
CiscoASA(config-dns-server-group)# name-server 122.122.122.198
CiscoASA(config-dns-server-group)# exit


3. Test it by pinging a name/URL.
CiscoASA(config)# ping www.20best.blogspot.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
!!!!!

But there is no command ( dns server-group ) in my ASA

Please tell me how to do this or any way

My ASA is showing only

ail-ASA# sh runn
: Saved
:
ASA Version 7.0(8)
!
hostname Mail-ASA
domain-name rawabiholding.com
enable password QuzxIf5jNzzT5kki encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.0.94 Test-web-mail
name 172.16.5.63 Mail-server
name 172.16.0.40 Web-Mail
name 172.16.0.24 MX-A
name 172.16.0.93 Test-Mail-MX
name 172.16.1.55 DNS-1
name 172.16.1.17 Web-Server
name 172.16.0.41 Helpdesk.rawabiholding.com
name 172.16.0.98 Test-Server
no dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 82.118.161.34 255.255.255.224
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 172.16.1.65 255.255.252.0
!
interface Ethernet0/2
nameif inside-Mail
security-level 100
ip address 172.16.5.37 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
banner exec ************* If you are not Rawabi IT Member Please logout ********
********
banner login *****************   Do not open or login , if you are not allowed *
********************
ftp mode passive
dns domain-lookup outside
dns name-server 212.102.0.82
dns name-server 212.102.0.11
access-list outside_access_in extended permit tcp any host 82.118.161.35 eq pop3

access-list outside_access_in extended permit tcp any host 82.118.161.35 eq smt.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tanveer2005

‎10-29-2011 04:15 PM

You do not need the "dns server-group" command to perform DNS resolution on your ASA. The "dns server-group" comamnd is only to group multiple DNS server configured on the ASA so you can refer to it on your other parts of the configuration. If you need to group the DNS server, the command is only supported from version 7.1.1 onwards.

Secondly, you also can't ping DNS name from your ASA with the version of code that you are running. Ping hostname from the ASA is only supported from version 7.2.1 onwards.

You can try to point an internal host DNS server as the ASA to test it, and you should be able to test DNS resolution from your host.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tanveer2005

‎11-02-2011 01:23 AM

You can download it from cisco.com download site if you have a Smartnet contract.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-29-2011 03:58 AM

Doesn't look like the DNS servers that you configured is resolving any DNS requests.

I have just tried both DNS server, and it is refusing the DNS:

> www.google.com

Server:  ns3.shabakah.net.sa

Address:  212.102.0.82

*** ns3.shabakah.net.sa can't find www.google.com: Query refused

> www.google.com

Server:  [212.102.0.11]

Address:  212.102.0.11

*** [212.102.0.11] can't find www.google.com: Query refused

0 Helpful

Go to solution
tanveer2005
Beginner
Beginner
In response to Jennifer Halim

‎10-29-2011 04:05 AM

http://20best.blogspot.com

Dear Jennifer,

From Router-ISP, I check it is resolving the name to IP

but from ASA 5510 not, it giving error

Jennifer Halim wrote:
Doesn't look like the DNS servers that you configured is resolving any DNS requests.
I have just tried both DNS server, and it is refusing the DNS:
> www.google.com
Server:  ns3.shabakah.net.sa
Address:  212.102.0.82
*** ns3.shabakah.net.sa can't find www.google.com: Query refused
> www.google.com
Server:  [212.102.0.11]
Address:  212.102.0.11
*** [212.102.0.11] can't find www.google.com: Query refused

http://20best.blogspot.com/2011/06/visit-to-grand-canyon-in-10-days.html

0 Helpful

Go to solution
tanveer2005
Beginner
Beginner
In response to tanveer2005

‎10-29-2011 04:10 AM

When i am ping it si giving this error.

Mail-ASA# ping http://20best.blogspot.com/2011/08/clock-of-makkah.html

              

Mail-ASA# ping http://20best.blogspot.com/2011/10/lulu-market-in-riyadh.html

0 Helpful

Go to solution
tanveer2005
Beginner
Beginner
In response to tanveer2005

‎10-29-2011 04:36 AM

MY ASA5510 have not this command for configure DNS.

dns server-group DefaultDNS

Maybe i have old version.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tanveer2005

‎10-29-2011 04:15 PM

You do not need the "dns server-group" command to perform DNS resolution on your ASA. The "dns server-group" comamnd is only to group multiple DNS server configured on the ASA so you can refer to it on your other parts of the configuration. If you need to group the DNS server, the command is only supported from version 7.1.1 onwards.

Secondly, you also can't ping DNS name from your ASA with the version of code that you are running. Ping hostname from the ASA is only supported from version 7.2.1 onwards.

You can try to point an internal host DNS server as the ASA to test it, and you should be able to test DNS resolution from your host.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tanveer2005

‎11-02-2011 01:23 AM

You can download it from cisco.com download site if you have a Smartnet contract.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents