06-12-2008 06:22 AM - edited 03-11-2019 05:58 AM
I have a DMZ on my ASA 5510 that is working for everything except internal DNS. If I try to ping an internal IP of 192.168.200.10 it responds but if I try to ping that IP by name it won't resolve.
This is the DMZ related part of the config:
static (Inside,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0
static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.15 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.45 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.61 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.51 eq 54321
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.100.7 eq 1433
access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.3 eq www
access-list dmz1 extended permit icmp any any echo
access-list dmz1 extended permit icmp any any echo-reply
access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain
access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.248.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list dmz1 extended permit ip any any
I believe that I'm allowing DNS through the 'eq domain' statements above but the only way I have had to create a host file on the DMZ server to get it working. Any thoughts?
Solved! Go to Solution.
09-16-2008 09:05 AM
This issue was giving me a hard time too. I tried your fix and it worked great. Thanks Farrukh! Your posts are always helpful.
And.... what's up with the packet tracer? Some times it's helpful and other times it's very misleading.
09-16-2008 12:14 PM
The packet-tracer was just used to make sure the firewall function is OK. It does not really generate a 'valid DNS packet', so it not be a proper test. Thats why I asked to stop using the packter tracer and test using real DNS packet.
Anyway I'm glad I could help :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide