cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

313
Views
0
Helpful
5
Replies
MaDe
Beginner

DNS internal ASA5500

Good day all,

short question....
I setup a new ASA for our branch office everything is working fine. But I have a little problem with the ASA.
I try to configure that my ASA in the branch office can resolve internal host to IP. Problem is that our internal DNS servers located in a different location and DNS is working over a VPN. This is working for the branch office client but not for the ASA.

Have somone an Idea or is it by design....?

Thanks Markus

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jennifer Halim
Cisco Employee

The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.

To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.

You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.

Hope that helps.

View solution in original post

Example:

if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:

branch ASA:

crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

remote ASA:

crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

the above is in addition to crypto ACL that you already have in place.

And on the remote ASA:

your NAT exempt will be the same as your crypto ACL

View solution in original post

5 REPLIES 5
Jennifer Halim
Cisco Employee

The reason why it's not working is most probably because the ASA route the dns packet via its outside interface, hence the source IP is the ASA outside interface, while your VPN crypto ACL does not include the ASA outside interface, hence it's failing via the VPN.

To fix the issue, you can include the branch office ASA outside interface into the crypto ACL as the source ip towards the remote LAN, and mirror image ACL on the remote crypto ACL as well.

You would also need to configure NAT exemption on the remote server to NAT exemption between the remote LAN towards the branch office ASA outside interface.

Hope that helps.

View solution in original post

Hi Jennifer,

thanks for your response. So for beginners.... I have to create the crypto like this scheme

branch_asa crypto acl
src: 192.168.0.0 --- dst: 192.168.1.0

src: 1.1.1.1

remote_asa crypto acl

src: 192.168.1.0 --- dst: 192.168.0.0

src: 2.2.2.2

Thanks,

Markus

Example:

if your branch ASA outside interface is 1.1.1.1, and the remote LAN is 192.168.1.0/24, then:

branch ASA:

crypto ACL: permit ip host 1.1.1.1 192.168.1.0 255.255.255.0

remote ASA:

crypto ACL: permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

the above is in addition to crypto ACL that you already have in place.

And on the remote ASA:

your NAT exempt will be the same as your crypto ACL

View solution in original post

Hi,

perfect. That is working.

Thanks Markus

Excellent, thanks for the update.

Content for Community-Ad