Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
0
Helpful
4
Replies

DNS issues through PIX

timh
Level 1
Level 1

‎07-17-2011 04:23 PM - edited ‎03-11-2019 01:59 PM

This is my first time configuring a pix.  Once connected, I can ping through the pix using an ip address, but when it comes to connecting to alpha addresses, it fails.  Through the asdm logs, the pix does contact the DNS server.   I assume it's a DNS issue, but I don't know what I'm missing.  Below is the config.  Any help would be appreciated.

LAN--L2 Switch--Pix515--cable modem--isp

PIX Version 8.0(4)

!

hostname pix515

domain-name example.com

enable password <omitted> encrypted

passwd <omitted> encrypted

names

!

interface Ethernet0

  nameif outside

  security-level 0

  ip address dhcp setroute

!

interface Ethernet1

  nameif inside

  security-level 100

  ip address 10.0.0.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

  domain-name example.com

access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image flash:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.20-10.0.0.254 inside

dhcpd dns x.x.x.x interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server x.x.x.x

username admin password <omitted> encrypted

!

class-map inspection_default

  match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

  parameters

message-length maximum server auto

  message-length maximum client auto

policy-map global_policy

  class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:

806a71054e94151e2dfb454d7a089e52
: end
Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-17-2011 04:39 PM

1) Where are you trying to ping to and from? Pls share IP Address and DNS name that you try to ping.

2) Where is the DNS server and what is the DNS server IP Address?

3) If you are doing "nslookup" to the hostname, and DNS server does it use and what does it resolve to?

4) Lastly, If the ASDM logs can see DNS request that means the initial request is going through, what about the DNS reply? Does the ASA see the DNS reply? You can check that with packet capture on the ASA interface.

0 Helpful

timh
Level 1
Level 1
In response to Jennifer Halim

‎07-17-2011 05:01 PM

Thanks for your reply  Hopefully this will answer questions.

1)  the successful ping was from a PC on the LAN to an external ip (one used by my work)

2)  the DNS server is my ISP's DNS server 63.13.16.30 (which was included on the "dhcpd dns x.x.x.x interface inside" command above)

3)  my "test" was to go to a web page from the same PC that could sucessfully ping to the outside world.

4)  maybe this will be different, but asdm can see the "built" & "teardown" of connection to the DNS server (63.13.16.30).  The packet capture will need to be done later, since I will have to take down my current network that is currently in use.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to timh

‎07-28-2011 12:57 PM

Hi Tim,

Instead of opening a browser, try opening a command window on your PC and trynig nslookup for a URL, like google.com. Also, try changing the DNS server to 4.2.2.2 and see if it works.

Regards,

Prapanch

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-28-2011 04:54 PM

Hello Tim

So lets see if I understood your question. You want to ping a website by the URL right?

You said your DNS its on the outside (ISP)

So try this two commands and let me know how it goes?

dns domain-lookup outside

dns name-server 4.2.2.2

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card