Solved: Firewall Blocking Dns Resolution

tonyk0001 · ‎08-17-2017

Hi Team,

I just configured an ASA 5516 at one of our client's office, It is below the edge router (not directly connected to the internet). I created three zones (LAN, OUTSIDE AND SERVERS). The OUTSIDE interface is connected to the edge router and the LAN interface goes to the user, The SERVER interface is connected the servers.

There are VPNs connected to the Router going to Branches, After configurations, All was well and I could reach every bit of the network but when I try to remote desktop the servers using their domain names, they fail but remote desktop with IPs accepts.

That happened when I put the dns 8.8.8.8 for internet resolutions among the dns IPs in the dhcp parameters but all works well when I remove it and when I remove it, the clients cant get to the internet.

Please advise on how to resolve this.

Marvin Rhoads · ‎08-22-2017

Is the internal DNS server that you attempted to add setup correctly with a forwarder setting to resolve non-local FQDNs?

View solution in original post

Maykol Rojas · ‎08-17-2017

Hello;

I think the issue relies on the fact that the DNS server on 8.8.8.8 replies with the Public IP. If you are doing the RDP from the inside, it is going to fail no matter if the RDP server is on the Server interface or in the inside.

You can easily solve this doing the following:

nat (Server, LAN) source static <Object_Private> <Object_Public>

Let me know if you have any questions.

Mike.

Mike

tonyk0001 · ‎08-22-2017

Hi Mike,

I dnt want to do NAT like that I actually did No Nat. Without the Firewall.. The users are getting the internet dns from the ISP since they have a PPPOE connection to the ISP but when I introduce the Firewall... They able to ping the internet but cant browse.... How do I resolve that because I dont want to include the isp dns 8.8.8.8 or 4.2.2.2 in the dchp options... Kindly advise

Marvin Rhoads · ‎08-22-2017

If you want to resolve internal DNS names you need to give the clients an internal DNS server among their DHCP options.

tonyk0001 · ‎08-22-2017

Hi Marvin,

Thanks for that but that is what I did but unfortunately when I do that, The clients cant browse but dns resolution works.

The issue arises when I introduce another dns 8.8.8.8 or 4.2.2.2 for the internet browsing (without removing the Internal DNS ofcos).

Before the ASA the clients would browse the internet without introducing the 8.8.8.8 or 4.2.2.2 in the dhcp because they would get the Internet IP parameters through dhcp (pppoe) but now they are unable.

Regards

Tony

Marvin Rhoads · ‎08-22-2017

Is the internal DNS server that you attempted to add setup correctly with a forwarder setting to resolve non-local FQDNs?

tonyk0001 · ‎08-22-2017

Hi Marvin,

No it is only for local FQDNs, the non local FQDNs are to be handled by the ISP dns, which they negotiaote since they use PPPOE on the router to get to the internet.

Regards

Tony