Remote DNS server across ASA

vd123_cisco · ‎02-27-2012

Hi guys,

i am hoping if anyone can reply to my query below.

We have got a new batch of servers and they reside on a separate VLAN 192.168.45.x 255.255.255.0

Those servers are required to be registered on the DNS server located on the remote site (SITE 2). Please refer to the attached diagaram. We also have a DNS server in our LAN but these new servers will need to be in the domain in SITE 2

Can anyone advise if need anythin else other than the following ACLs in the ASA firewall

Access-list inside extended permit udp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53

Access-list inside extended permit tcp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53

Thanks

jay

Marvin Rhoads · ‎02-27-2012

Your question and diagram imply you have a site-site VPN in place between the ASAs. In that case the access-list(s) called out by your cryptomap would be used to control the traffic. Typical configuration would be to allow 192.168.45.0/24 to access 10.10.100.0.0/24 via that VPN tunnel. Whatever route you take, both ends would need to have the access-list (and/or cryptomap) in place.

vd123_cisco · ‎02-28-2012

Hi Marvin,

Thank you for the reply.

We have a point to point connection. The router shown the diagram are managed by the service provider.

There is no other config required other the ACLs i have listed above?

Thanks

Marvin Rhoads · ‎02-29-2012

The ACL entries above will allow DNS queries across the provider link from your local site. We are assuming matching entries allow the communications on the remote and and that routing etc. is all in place..

You asked however about needing to be "registered" on the DNS server and in the domain. Also your diagram mentions the server is a DHCP server and you show it configured with the helper-address in your local core switch. DHCP uses TCP ports 67 and 68. When you say domain if you are talking about a Windows domain that is another set of ports.