10-11-2010 02:22 PM - edited 03-11-2019 11:53 AM
I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.
I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?
Thanks.
Solved! Go to Solution.
10-11-2010 03:09 PM
jeff.carr wrote:
I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.
I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?
Thanks.
Jeff
You could try this -
static (outside,inside) udp interface 53
Let me know if it works.
Jon
10-11-2010 03:09 PM
jeff.carr wrote:
I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.
I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?
Thanks.
Jeff
You could try this -
static (outside,inside) udp interface 53
Let me know if it works.
Jon
10-12-2010 06:39 AM
Thanks for the response, Jon.
Port forwarding seems like an available option. The only concern I have is that the known DNS server is on the internal network, so the command would have to look more like this.
static (inside,inside) udp interface 53
Any reason this should be a problem?
10-12-2010 07:41 AM
Jeff,
So is your DNS server on the inside along with your DNS clients and you want to hairpin on the ASA's inside?
If that is the case you need the "static (inside,inside)" and the command "same-security-interface permit intrA".
There would be a problem only if you have another static that conflicts with the static above.
I hope it helps.
PK
10-12-2010 09:30 AM
jeff.carr wrote:
Thanks for the response, Jon.
Port forwarding seems like an available option. The only concern I have is that the known DNS server is on the internal network, so the command would have to look more like this.
static (inside,inside) udp interface 53
53 netmask 255.255.255.255 Any reason this should be a problem?
Jeff
I'm confused now. If the DNS server is on the inside then why do the clients have to bounce off the ASA, are they in a different subnet and are both subnets routed off the ASA ?
If so then PK has provided the answer.
Jon
10-12-2010 09:50 AM
PK and Jon, thanks for the attention. I believe the static (inside,inside) rule will be the best solution for this issue.
We are replacing an existing firewall that is also capable of acting as a DNS server. Internal users are all configured with statically assigned TCP/IP settings which identify the default gateway and the DNS server by the same IP address. We are trying to avoid having to change DNS server settings on all internal devices to accomodate the change in firewalls. DNS settings on the internal devices will likely be changed, just not wanting to have to address it during the firewall maintenance window. So I guess this is more of a workaround, not a final solution.
Thanks again.
10-12-2010 09:56 AM
Keep in mind that you will have asymmetric routing, but since it is stateless dns it won't matter.
In other words the host will be sending to the ASA, the ASA will be forwarding to the dns server. But if the server and the host are in the same subnet the dns server will be sending back to the client without going through the ASA. For UDP this will not cause issues. If it was TCP you would have stateful inspection issue because the ASA would be seeing only half the flow.
If the thread is solved, please mark it as such so others can benefit from it in the future.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide