Solved: Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 · ‎10-30-2023

Hello all,

None of the zones are able to resolve DNS. I can ping 8.8.8.8 from LAN and DMZ but cannot ping google.com.

The DNS policy under policies > DNS is default

DNS server group under Objects > Object Management has all the ISP provided DNS servers

DNS under Devices > Platform settings has "Enable DNS name resolution by device" enabled and the server group added to it. "Interface Objects" has all the objects added to the list.

I can ping google.com from Devices > Threat Defense CLI

How can I ensure that the the DNS works from devices in LAN and DMZ?

Thanks

Marius Gunnerud · ‎11-01-2023

is the WAN interface the correct interface for reaching the internet? I see no NAT being implemented on the traffic in the packet-tracer output.
are there any other firewalls in the path between the FTD and internet?

set up a capture on both the lan and wan interfaces for this traffic and then see if you see both requests and replies in the output.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Herald Sison · ‎11-02-2023

Have you added a static route in your FTD from nexus to FTD?

like this route LAN 192.168.1.0 255.255.255.0 10.10.10.10 1

how about your NAT?

View solution in original post

markcummins713 · ‎10-30-2023

Keep in mind that troubleshooting network issues can be complex, and it's important to follow a systematic approach to isolate and resolve the problem. Be cautious when making web development changes to your network configuration, as improper adjustments can disrupt network services. If you're not confident in your ability to troubleshoot and resolve the issue, consider seeking the assistance of a network administrator or IT professional.

Rob Ingram · ‎10-31-2023

@Cisco3105 what DNS servers are the endpoint in the LAN/DMZ configured with? And is there an Access Control Policy rule to permit the endpoints to communicate with those DNS servers?

From the CLI of the FTD you can run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.

Cisco3105 · ‎10-31-2023

Hello @Rob Ingram

How do I check which DNS servers are attached to the endpoints?
I migrated the config from ASA 5545x to 3105 thus assuming that the access control policy is in place

This is not in production yet this I can keep messing with it

Rob Ingram · ‎10-31-2023

Run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.

Or take a packet capture, filter on DNS from an endpoint IP address.

Marius Gunnerud · ‎10-31-2023

Have you configure DHCP relay under Devices -> Device Management -> Edit the FTD Device -> DHCP -> DHCPrelay. You need to configure the DHCP servers tab as well as DHCP relay agent tab.

--
Please remember to select a correct answer and rate helpful posts

Cisco3105 · ‎10-31-2023

Hello @Marius Gunnerud

Do I need to need to enable DHCP relay for name resolution? The FTD is only handing out DHCP addresses to Anyconnect clients.

Marius Gunnerud · ‎10-31-2023

Sorry, thought I was answering a different post. Just a few thoughts:

Have you allowed the DNS traffic in the access rules?
Have you verified the DNS servers configured on the host machines?
If you do an nslookup google.com 8.8.8.8 on a host machine does this return a result (assuming that DNS is allowed towards 8.8.8.8)?

--
Please remember to select a correct answer and rate helpful posts

Cisco3105 · ‎10-31-2023

DNS traffic is allowed in Access rule from any to any

Trusted DNS servers have been set

Nslookup works when I set the DNS to 8.8.8.8 but fails when I set it to the internal dns server

I have attached the topology for reference.

Marius Gunnerud · ‎10-31-2023

So routing is done on the nexus switch? do you have DNS snooping enabled?

are you able to lookup google.com on the DNS server itself?

--
Please remember to select a correct answer and rate helpful posts

Cisco3105 · ‎11-01-2023

Yes, the routing is done on Nexus, DNS snooping isnt enabled. The current firewall is ASA 5545 and DNS works fine.

I am in the process of setting up an isolated network to test with the 3105, will keep you posted.

Cisco3105 · ‎11-01-2023

@Rob Ingram @Marius Gunnerud

Here's the output from the packet tracker, the dns server does not get a reply but the trace logs dont show anything being blocked.

   1: 20:20:21.581055       192.168.1.10.48746 > 8.8.8.8.53:  udp 28 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Elapsed time: 11296 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Elapsed time: 11296 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 3530 ns
Config:
Additional Information:
Found next-hop 38.140.221.81 using egress ifc  wan(vrfid:0)

Phase: 4
Type: OBJECT_GROUP_SEARCH
Subtype: 
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
 Source Object Group Match Count:       4
 Destination Object Group Match Count:  1
 Object Group Search:                   0

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 0 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit udp object-group DNSServers any object-group DNS_over_UDP rule-id 268436488 
access-list CSM_FW_ACL_ remark rule-id 268436488: ACCESS POLICY: FTD-Mig-ACP-1694711294 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436488: L7 RULE: Allow-From-DNS-Servers
object-group network DNSServers(hitcnt=1392, id=4026531841)
 network-object object DNSServer2(hitcnt=22)
 network-object object DNSServer1(hitcnt=1370)
 network-object object DNSServer3(hitcnt=0)
object-group service DNS_over_UDP udp
 port-object eq domain
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 6
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Elapsed time: 0 ns
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 9178 ns
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
service-policy global_policy global
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7766 ns
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Elapsed time: 4236 ns
Config:
Additional Information:
New flow created with id 1229380, packet dispatched to next module

Phase: 13
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Elapsed time: 6354 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 83433 ns
Config:
Additional Information:
service: DNS(617), client: DNS(617), payload: (0), misc: (0)

Phase: 15
Type: SNORT
Subtype: SI-DNS
Result: ALLOW
Elapsed time: 8091 ns
Config:
DNS policy 862867808, Allow
Additional Information:
Matched domain google.com, action Allow

Phase: 16
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 32306 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268436488
Additional Information:
Starting rule matching, zone 1 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, urls , hosts google.com, no xff
Matched rule ids 268436488 - Allow

Phase: 17
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 2824 ns
Config:
Additional Information:
Found next-hop 38.140.221.81 using egress ifc  wan(vrfid:0)

Phase: 18
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 353 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 38.140.221.81 on interface  wan
Adjacency :Active
MAC address e0ac.f127.b0ae hits 203 reference 29

Result:
input-interface: lan(vrfid:0)
input-status: up
input-line-status: up
output-interface: wan(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 180663 ns

Marius Gunnerud · ‎11-01-2023

is the WAN interface the correct interface for reaching the internet? I see no NAT being implemented on the traffic in the packet-tracer output.
are there any other firewalls in the path between the FTD and internet?

set up a capture on both the lan and wan interfaces for this traffic and then see if you see both requests and replies in the output.

--
Please remember to select a correct answer and rate helpful posts

Cisco3105 · ‎11-02-2023

The test I conducted today

1. The DMZ interface IP on the FTD is 10.11.11.1/24 and a computer in the zone is 10.11.11.2/24. I ran nslookup google.com 8.8.8.8 and got a reply

2. The LAN interface IP on the FTD is 10.10.10.9/30 and the nexus switch is directly connected to the FTD with the IP 10.10.10.10/30. The actual LAN subnet inside the office is 192.168.1.0/24

The computer IP address is 192.168.1.100. I ran nslookup google.com 8.8.8.8 and got request timed out error

Herald Sison · ‎11-02-2023

Have you added a static route in your FTD from nexus to FTD?

like this route LAN 192.168.1.0 255.255.255.0 10.10.10.10 1

how about your NAT?