03-13-2014 05:31 AM - edited 03-11-2019 08:56 PM
Hi guys,
I don't understand why the ASA is not able to resolve names whenever I apply following command:
crypto map [map_name] interface outside
Without above command the ASA will be able to resolve names immediately without issue.
Without command above, I can see packets leaving on outside interface when I ping google.com. But once above command is applied, I don't see the packet leaving any interfaces. I know this because I have configured packet capture on outside/inside/mgmt interfaces and also by using logging/monitoring feature on ASDM.
Can someone help or explain why the ASA behaves like this? Any thoughts/enlighten are appreciated.
Best regards,
Solved! Go to Solution.
03-13-2014 04:57 PM
Rudy
Do you mean when you apply the crypto map MAP to the outside interface ?
If so your crypto acl is -
access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET
note the second line which says send any udp packets from any source IP down the VPN tunnel.
DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.
You need to modify the above acl.
Jon
03-13-2014 04:57 PM
Rudy
Do you mean when you apply the crypto map MAP to the outside interface ?
If so your crypto acl is -
access-list VPN-TRAFFIC extended permit esp any any
access-list VPN-TRAFFIC extended permit udp any any
access-list VPN-TRAFFIC extended permit ip object LOCAL_NET object REMOTE_NET
note the second line which says send any udp packets from any source IP down the VPN tunnel.
DNS uses UDP to make queries so they are being sent down the VPN tunnel rather than going out of the outside interface to the internet.
You need to modify the above acl.
Jon
03-14-2014 02:00 AM
Hi Jon, that does it! What you say totally makes sense and not sure why I haven't realized it sooner despite I have been checking the ACL hundred of times.
Thanks a lot for your help, I appreciate it!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide