Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
3
Replies

External DNS query issues

sherwin79
Level 1
Level 1

‎06-30-2011 01:10 AM - edited ‎03-11-2019 01:53 PM

Hi all,


Apologies if I'm in the wrong area but this if my first post.


I'm currently having issues where external DNS is going through to our secondary DNS server in our Production environment but not being returned to the client. Below is how our network was configured by another staff member and all I'm trying to do is enable the DNS queries from an external source.

(ISP Modem)--------(Cisco ASA 5520)--------(Cisco 2921)--------------(DNS Server)

On the ASA I have enable the following rules.


access-list OUTSIDE_access_in extended permit tcp any x.x.x.x 255.255.255.240 eq https

access-list OUTSIDE_access_in extended permit tcp any x.x.x.x 255.255.255.240 eq smtp

access-list OUTSIDE_access_in extended permit gre host x.x.x.x x.x.x.x 255.255.255.240

access-list OUTSIDE_access_in extended permit udp any host x.x.x.x eq domain

access-list OUTSIDE_access_in extended permit tcp any host x.x.x.x eq domain


access-list INSIDE_access_in extended permit udp host x.x.x.x eq domain any

access-list INSIDE_access_in extended permit tcp host x.x.x.x eq domain any

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq www

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq smtp

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq https

access-list INSIDE_access_in extended permit udp x.x.x.x 255.255.255.240 any eq domain

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq domain

access-list INSIDE_access_in extended permit tcp x.x.x.x 255.255.255.240 any eq pptp

access-list INSIDE_access_in extended permit gre x.x.x.x 255.255.255.240 any

And the router:


ip nat inside source static tcp 10.0.2.201 25 x.x.x.x 25 extendable
ip nat inside source static tcp 10.0.2.16 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.201 25 x.x.x.x 25 extendable
ip nat inside source static tcp 10.0.2.201 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.17 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.20 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.0.2.4 53 x.x.x.x 53 extendable
ip nat inside source static udp 10.0.2.4 53 x.x.x.x 53 extendable
ip nat inside source static tcp 10.0.2.100 443 x.x.x.168 443 extendable


So I've enable the rule on the ASA to permit dns from any sources to our published external ip address of the dns server. I've also configure a static nat on the router. Looking at the ASA monitoring tool I can see the ASA builds and then quickly tears down the connection. I can telnet all the way through to the server however when I attemp to perform a nslookup using the external ip address of the dns server it times out and fails.


Not sure where I'm going wrong but any help would be appreciated, thanks in advance.


Regards

Sherwin79

Labels:
0 Helpful
3 Replies 3

Anu M Chacko
Cisco Employee
Cisco Employee

‎06-30-2011 01:27 AM

Hi Sherwin,

Do you have inspect dns enabled on the ASA? Could you post the output of "sh service-policy" and "sh run policy-map here"? Also, please post the syslogs from the ASA.

Regards,

Anu

0 Helpful

sherwin79
Level 1
Level 1
In response to Anu M Chacko

‎06-30-2011 06:58 PM

Hi Anu,

Thanks for your reply.

We currently dont have syslogs setup at the moment. This environment is fairly new and hasn't really been implemented as well as one would hope. But here is the service policy and policy mappings.

Result of the command: "sh service-policy"

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns maximum-length 512, packet 985870, drop 27855, reset-drop 0
      Inspect: ftp, packet 356, drop 0, reset-drop 0
      Inspect: h323 h225, packet 0, drop 0, reset-drop 0
      Inspect: h323 ras, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
      Inspect: esmtp, packet 16421670, drop 0, reset-drop 197
      Inspect: sqlnet, packet 21, drop 0, reset-drop 0
      Inspect: skinny, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip, packet 146, drop 0, reset-drop 0
      Inspect: netbios, packet 2729, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
     
           
Result of the command: "sh run policy-map"

policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

Thanks again

Regards

Sherwin

0 Helpful

Anu M Chacko
Cisco Employee
Cisco Employee
In response to sherwin79

‎07-01-2011 12:41 AM

Hi,

Could you disable inspect dns and test?

policy-map global_policy

class inspection_default

  no inspect dns maximum-length 512

Let me know.

Regards,

Anu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card