10-30-2023 09:41 PM
Hello all,
None of the zones are able to resolve DNS. I can ping 8.8.8.8 from LAN and DMZ but cannot ping google.com.
The DNS policy under policies > DNS is default
DNS server group under Objects > Object Management has all the ISP provided DNS servers
DNS under Devices > Platform settings has "Enable DNS name resolution by device" enabled and the server group added to it. "Interface Objects" has all the objects added to the list.
I can ping google.com from Devices > Threat Defense CLI
How can I ensure that the the DNS works from devices in LAN and DMZ?
Thanks
Solved! Go to Solution.
11-01-2023 03:57 PM
set up a capture on both the lan and wan interfaces for this traffic and then see if you see both requests and replies in the output.
11-02-2023 01:42 PM
Have you added a static route in your FTD from nexus to FTD?
like this route LAN 192.168.1.0 255.255.255.0 10.10.10.10 1
how about your NAT?
10-30-2023 09:45 PM - edited 11-04-2023 09:18 AM
Keep in mind that troubleshooting network issues can be complex, and it's important to follow a systematic approach to isolate and resolve the problem. Be cautious when making web development changes to your network configuration, as improper adjustments can disrupt network services. If you're not confident in your ability to troubleshoot and resolve the issue, consider seeking the assistance of a network administrator or IT professional.
10-31-2023 01:01 AM
@Cisco3105 what DNS servers are the endpoint in the LAN/DMZ configured with? And is there an Access Control Policy rule to permit the endpoints to communicate with those DNS servers?
From the CLI of the FTD you can run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.
10-31-2023 05:28 AM
Hello @Rob Ingram
How do I check which DNS servers are attached to the endpoints?
I migrated the config from ASA 5545x to 3105 thus assuming that the access control policy is in place
This is not in production yet this I can keep messing with it
10-31-2023 05:33 AM
Run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.
Or take a packet capture, filter on DNS from an endpoint IP address.
10-31-2023 05:35 AM
Have you configure DHCP relay under Devices -> Device Management -> Edit the FTD Device -> DHCP -> DHCPrelay. You need to configure the DHCP servers tab as well as DHCP relay agent tab.
10-31-2023 07:24 AM - edited 10-31-2023 07:24 AM
Hello @Marius Gunnerud
Do I need to need to enable DHCP relay for name resolution? The FTD is only handing out DHCP addresses to Anyconnect clients.
10-31-2023 07:44 AM
Sorry, thought I was answering a different post. Just a few thoughts:
10-31-2023 07:59 AM
10-31-2023 12:14 PM
So routing is done on the nexus switch? do you have DNS snooping enabled?
are you able to lookup google.com on the DNS server itself?
11-01-2023 07:51 AM
Yes, the routing is done on Nexus, DNS snooping isnt enabled. The current firewall is ASA 5545 and DNS works fine.
I am in the process of setting up an isolated network to test with the 3105, will keep you posted.
11-01-2023 03:34 PM
Here's the output from the packet tracker, the dns server does not get a reply but the trace logs dont show anything being blocked.
1: 20:20:21.581055 192.168.1.10.48746 > 8.8.8.8.53: udp 28
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 11296 ns
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 11296 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 3530 ns
Config:
Additional Information:
Found next-hop 38.140.221.81 using egress ifc wan(vrfid:0)
Phase: 4
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 4
Destination Object Group Match Count: 1
Object Group Search: 0
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 0 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit udp object-group DNSServers any object-group DNS_over_UDP rule-id 268436488
access-list CSM_FW_ACL_ remark rule-id 268436488: ACCESS POLICY: FTD-Mig-ACP-1694711294 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436488: L7 RULE: Allow-From-DNS-Servers
object-group network DNSServers(hitcnt=1392, id=4026531841)
network-object object DNSServer2(hitcnt=22)
network-object object DNSServer1(hitcnt=1370)
network-object object DNSServer3(hitcnt=0)
object-group service DNS_over_UDP udp
port-object eq domain
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 9178 ns
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7766 ns
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 4236 ns
Config:
Additional Information:
New flow created with id 1229380, packet dispatched to next module
Phase: 13
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 6354 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 83433 ns
Config:
Additional Information:
service: DNS(617), client: DNS(617), payload: (0), misc: (0)
Phase: 15
Type: SNORT
Subtype: SI-DNS
Result: ALLOW
Elapsed time: 8091 ns
Config:
DNS policy 862867808, Allow
Additional Information:
Matched domain google.com, action Allow
Phase: 16
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 32306 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268436488
Additional Information:
Starting rule matching, zone 1 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, urls , hosts google.com, no xff
Matched rule ids 268436488 - Allow
Phase: 17
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 2824 ns
Config:
Additional Information:
Found next-hop 38.140.221.81 using egress ifc wan(vrfid:0)
Phase: 18
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 353 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 38.140.221.81 on interface wan
Adjacency :Active
MAC address e0ac.f127.b0ae hits 203 reference 29
Result:
input-interface: lan(vrfid:0)
input-status: up
input-line-status: up
output-interface: wan(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 180663 ns
11-01-2023 03:57 PM
set up a capture on both the lan and wan interfaces for this traffic and then see if you see both requests and replies in the output.
11-02-2023 11:52 AM
The test I conducted today
1. The DMZ interface IP on the FTD is 10.11.11.1/24 and a computer in the zone is 10.11.11.2/24. I ran nslookup google.com 8.8.8.8 and got a reply
2. The LAN interface IP on the FTD is 10.10.10.9/30 and the nexus switch is directly connected to the FTD with the IP 10.10.10.10/30. The actual LAN subnet inside the office is 192.168.1.0/24
The computer IP address is 192.168.1.100. I ran nslookup google.com 8.8.8.8 and got request timed out error
11-02-2023 01:42 PM
Have you added a static route in your FTD from nexus to FTD?
like this route LAN 192.168.1.0 255.255.255.0 10.10.10.10 1
how about your NAT?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide