12-31-2010 08:14 AM - edited 03-11-2019 12:29 PM
Hi
What steps do I perform on ASA 5510 to enable LAN users to resolve external DNS, all intranet sites are resolved using local DNS Server running on Windows 2003 Server.
Best Wishes
Anthony
Solved! Go to Solution.
01-01-2011 11:37 AM
12-31-2010 10:39 AM
Hi Anthony,
Can you clarify which traffic you're trying to allow through the ASA?
If I understand your question you are trying to allow your internal Windows 2003 DNS server to resolve external domains with servers on the Internet so that it can provide those answers to your internal clients? If that's correct and your DNS server is setup properly, it should only be a matter of allowing outbound UDP/53 access.
If you post a sanitized copy of your config and let us know what IP address the DNS server uses, we can give you a more specific answer. In general though, you'll need to make sure the ASA has at least the following configuration:
1. Translation: A NAT/PAT rule to translate the DNS server's internal/private IP to a publicly routable global IP
2. Route: A default route where all Internet-bound traffic will be sent
3. Permission: An access-list allowing outbound UDP/53 traffic (only if the security-level of the interface that protects the DNS server is lower than that of the Internet-facing interface)
Hope that helps.
-Mike
12-31-2010 10:59 AM
Hi Mike
Your understanding is correct. Allow internal Windows 2003 DNS server to resolve external domains through the ASA.
Windows 2003 DNS Server IP - 172.24.1.100 255.255.255.0
ASA inside IP - 172.23.1.1
Switch IP - 172.23.1.2
We received 14 usable public ip address from service provider
Its a new setup and soon will require also
thanks
12-31-2010 11:04 AM
Hi Anthony,
Thanks for clarifying. In that case, you'll need a config similar to this:
Assumptions:
Internal interface that protects DNS server = inside
External/Internet-facing interface = outside
DNS Server's public IP = A.B.C.D
static (inside,outside) A.B.C.D 172.24.1.100 netmask 255.255.255.255
access-list outside_access_in permit tcp any host A.B.C.D eq smtp
access-list outside_access_in permit tcp any host A.B.C.D eq https
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0
As for your 3rd requirement, you can use this:
nat (inside) 1 0 0
global (outside) 1 interface
Hope that helps.
-Mike
01-01-2011 02:19 AM
Hi Mike
Thanks for your input, I need one clarification, what ports are needed from outside to inside to enable Windows 2003 Server to resolve external DNS.
thanks
Anthony
01-01-2011 04:54 AM
Hi Anthony,
Since your Windows 2003 Server will be initiating the connections (from inside -> outside), you won't need to open any ports for the return traffic in the outside -> inside direction. The ASA will see the outgoing request and open the necessary pinholes to allow the response from the external DNS server to come back into your network.
That being said, if you have an inbound ACL on your inside interface, you would need to allow UDP/53 in this ACL. However, by default all traffic is allowed in the inside -> outside direction.
Hope that helps.
-Mike
01-01-2011 11:13 AM
Hi Mike
Thanks for your help.
access-list inside_access_out permit udp host 1.1.1.1 any eq 53
Do i only need the above ACL to allow DNS resolution from inside to ouside when we have an inbound ACL on your inside interface.
01-01-2011 11:37 AM
Hi Anthony,
Yes, you are correct.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide