06-12-2008 06:22 AM - edited 03-11-2019 05:58 AM
I have a DMZ on my ASA 5510 that is working for everything except internal DNS. If I try to ping an internal IP of 192.168.200.10 it responds but if I try to ping that IP by name it won't resolve.
This is the DMZ related part of the config:
static (Inside,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0
static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.15 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.45 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.61 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.51 eq 54321
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.100.7 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.3 eq www
access-list dmz1 extended permit icmp any any echo
access-list dmz1 extended permit icmp any any echo-reply
access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.248.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list dmz1 extended permit ip any any
I believe that I'm allowing DNS through the 'eq domain' statements above but the only way I have had to create a host file on the DMZ server to get it working. Any thoughts?
Solved! Go to Solution.
06-12-2008 08:52 AM
No please stop using the packet-tracer.
Now use that DMZ machine to do an actual nslookup
Regards.
Farrukh
06-12-2008 06:34 AM
Define which subnet you want to come in in the acl as right now all you have is 192.168.0.x 255.255.255.0 allowed for dns.
Hope it helps
access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
06-12-2008 06:40 AM
I do not understand what you are trying to say.
Doesn't my statement allow anything in the 192.168.0.0/24 subnet to pass DNS to 192.168.200.21?
06-12-2008 06:45 AM
Right now you are only allowing the following subnets:
static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0
static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0
no 192.168.0.0 is defined. Or you can change the mask in the acl to say for eg.
access-list dmz1 extended permit tcp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain
Note: the mask changed.
06-12-2008 07:04 AM
I tried both of the above suggestions and neither of them worked.
06-12-2008 07:13 AM
Sorry, didn't read the full question as you are trying to get there via name. Do a packet trace in the gui and it will tell you exactly where it fails.
06-12-2008 07:30 AM
I did a packet trace through the ASDM and got the following:
Result - The packet is dropped.
Info: (inspect-dns-invalid-pak) DNS Inspect invalid packet
Does this mean I need to do something to the inspection list?
06-12-2008 07:37 AM
Can you post the packet-tracer output?
packet-tracer input DMZ1 udp 192.168.0.5 1025 192.168.200.21 53 detailed
also "show run all policy-map"
Regards
Farrukh
06-12-2008 07:43 AM
Below is the output from those commands. I changed the 192.168.0.5 to 192.168.0.25 because it is actually the IP of my webserver in the DMZ.
EDIT: I had to attach the results in the following message. Please see below for the attachment. Thank you.
06-12-2008 07:48 AM
06-12-2008 08:13 AM
This output you are seeing sees normal (because we are sending a NON-DNS packet on the DNS port), try to add the following lines in your config:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
no message-length maximum server
no message-length maximum client
no dns-guard
no protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
Or even
policy-map global_policy
class inspection_default
no inspect dns migrated_dns_map_1
Regards
Farrukh
06-12-2008 08:37 AM
I tried to adjust the inspect dns parameters and that didn't work so I completely removed the inspect dns entry and that did not work either. I still get the same 'DNS Inspect invalid packet'.
06-12-2008 08:52 AM
No please stop using the packet-tracer.
Now use that DMZ machine to do an actual nslookup
Regards.
Farrukh
06-12-2008 08:58 AM
That worked. Thank you.
06-12-2008 09:05 AM
Ok great. If you like you can put the DNS map back, and try which of those commands was actually causing the problem by enabling one at a time and then checking. The 512 limit, the protocol enforcement or dns-guard. Just make sure you do clear local-host after every change
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide