Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
1
Replies

DNS does not resolve inside DMZ

regibbons
Level 1
Level 1

‎05-15-2012 06:59 AM - edited ‎03-11-2019 04:07 PM

I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 8.8.8.8 and 4.2.2.2 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 8.8.8.8 and 4.2.2.2 in ipconfig. I can ping/tracert 8.8.8.8/4.2.2.2/74.125.137.147(what www.google.com resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to www.google.com. I am pasting the sanitized config below, any help would be appreciated. If I left any pertinent information out, let me know and I will provide.

Thanks,

: Saved

:

ASA Version 8.4(3)

!

terminal width 128

hostname 5505_PoC

!

interface Ethernet0/0

switchport access vlan 200

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 150

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

ip address 10.2.20.4 255.255.255.0

!

interface Vlan150

nameif DMZ

security-level 50

ip address 10.2.150.1 255.255.255.0

!

interface Vlan200

nameif outside

security-level 0

ip address 10.2.220.4 255.255.255.0

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

domain-name hmcorp.local

same-security-traffic permit intra-interface

object network INSIDE-NET10

subnet 10.2.20.0 255.255.255.0

object network DMZ-NET150

subnet 10.2.150.0 255.255.255.0

access-list IPS extended permit ip any any

access-list OUTSIDE_IN extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

object network INSIDE-NET10

nat (inside,outside) dynamic interface

object network DMZ-NET150

nat (DMZ,outside) dynamic 10.2.220.150

access-group OUTSIDE_IN in interface outside

access-group OUTSIDE_IN in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.2.220.1 1

route inside 10.0.0.0 255.0.0.0 10.2.20.1 1

route inside 172.16.0.0 255.240.0.0 10.2.20.1 1

route inside 192.168.0.0 255.255.0.0 10.2.20.1 1

!

dhcpd address 10.2.150.10-10.2.150.100 DMZ

dhcpd dns 8.8.8.8 4.2.2.2 interface DMZ

dhcpd enable DMZ

!

: end :

5505_PoC# sh int | i protocol

Interface Ethernet0/0 "", is up, line protocol is up

Interface Ethernet0/1 "", is up, line protocol is up

Interface Ethernet0/2 "", is up, line protocol is up

Interface Ethernet0/3 "", is down, line protocol is down

Interface Ethernet0/4 "", is down, line protocol is down

Interface Ethernet0/5 "", is down, line protocol is down

Interface Ethernet0/6 "", is down, line protocol is down

Interface Ethernet0/7 "", is down, line protocol is down

Interface Vlan1 "inside", is up, line protocol is up

Interface Vlan150 "DMZ", is up, line protocol is up

Interface Vlan200 "outside", is up, line protocol is up

Labels:
0 Helpful
1 Reply 1

regibbons
Level 1
Level 1

‎05-15-2012 08:01 AM

got it figured out. I had one too many access-group statements

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card