cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2497
Views
0
Helpful
16
Replies

DNS through DMZ not working

qbakies11
Level 1
Level 1

I have a DMZ on my ASA 5510 that is working for everything except internal DNS. If I try to ping an internal IP of 192.168.200.10 it responds but if I try to ping that IP by name it won't resolve.

This is the DMZ related part of the config:

static (Inside,DMZ1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

static (Inside,DMZ1) 192.168.16.0 192.168.16.0 netmask 255.255.248.0

static (Inside,DMZ1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.15 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.45 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.61 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.51 eq 54321

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.100.7 eq 1433

access-list dmz1 extended permit tcp host 192.168.0.25 host 192.168.200.3 eq www

access-list dmz1 extended permit icmp any any echo

access-list dmz1 extended permit icmp any any echo-reply

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.21 eq domain

access-list dmz1 extended permit tcp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended permit udp 192.168.0.0 255.255.255.0 host 192.168.200.7 eq domain

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.248.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list dmz1 extended deny ip 192.168.0.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list dmz1 extended permit ip any any

I believe that I'm allowing DNS through the 'eq domain' statements above but the only way I have had to create a host file on the DMZ server to get it working. Any thoughts?

16 Replies 16

This issue was giving me a hard time too. I tried your fix and it worked great. Thanks Farrukh! Your posts are always helpful.

And.... what's up with the packet tracer? Some times it's helpful and other times it's very misleading.

The packet-tracer was just used to make sure the firewall function is OK. It does not really generate a 'valid DNS packet', so it not be a proper test. Thats why I asked to stop using the packter tracer and test using real DNS packet.

Anyway I'm glad I could help :)

Regards

Farrukh

Review Cisco Networking for a $25 gift card