Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
1
Replies

DNS Forwarder ASA 5506

SI YING TAN
Level 1
Level 1

‎01-10-2018 10:39 PM - edited ‎02-21-2020 07:06 AM

I am using the ASA 5505 (firmware version asa723-k8.bin) previously, the asa can make as dns forwarder by using configuration below. all the PC dns is point to default gateway. 

 

static (outside,inside) tcp interface domain 192.168.99.100 domain netmask 255.255.255.255
static (outside,inside) udp interface domain 192.168.99.100 domain netmask 255.255.255.255

 

we purchase new asa 5506 to replace this asa. 

when i apply the same nat config, but it cannot work. 

 

nat (outside,inside) source static OBJ-192.168.99.100 interface service OBJ-UDP-domain OBJ-UDP-domain

nat (outside,inside) source static OBJ-192.168.99.100 interface service OBJ-TCP-domain OBJ-TCP-domain

 

anyone can advise can new firewall because a dns forwarder/dns proxy or not. 

Labels:
0 Helpful
1 Reply 1

Ajay Saini
Level 7
Level 7

‎01-10-2018 10:55 PM

Hello,

 

What I can understand is that you have a dns server on internal segment 192.168.99.100 to which you need to forward the dns traffic from outside, please correct me if I am wrong.

 

If this is correct, firstly check the access-list on outside interface.

also, run a packet-tracer:

packet-tracer input outside udp x.x.x.x 4455 192.168.99.100 53

 

ref link:

https://supportforums.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

 

-HTH

AJ

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card