Struggling with getting to inside to DNS resolve

ValbrunaUK · ‎06-06-2016

Hi All,

I've tried to search for a solution to my problem but I doubt I'm anywhere close to searching for the right terms. I'm a noob when it comes to the ASA5506 unit we have but I have got it setup how it needs to be with one exception. DNS.

At the moment I'm able to access the internet from inside to out as well as being able to get to our webserver from outside in.

The one issue I can't resolve is DNS resolution by our server from another internal site. I'll try my best to get down what I can to help but please bear with me. I'm awful at it.

Our internal network is 10.132.0.0

The remote location is 10.130.0.0

When I try to resolve a dns name from the server in 10.132.x.x from 10.130.x.x it never works

I believe the internal network is coming from the "inside" interface I just don't understand why DNS isn't resolving.

Would some one be able to help with this issue?

Thanks and regards,

Chris

jagraaga · ‎06-07-2016

Hi Chris,

Are you suspecting that ASA is blocking the DNS query?

Where is the DNS server located in your network. Try doing a packet-tracer from the inside interface for DNS traffic and see if the traffic is allowed.

You could use the below command to check the same on ASA

#packet-tracer input inside udp <source-ip> 64161 <destination-ip> 53 detailed

where

source-ip = the machine from which you are not able to resolve the DNS

destination-ip = the IP of DNS server

Regards,

Jagrati

Regards,

Jagrati

ValbrunaUK · ‎06-07-2016

Thank you Jagraaga,

I ran the command with the end result saying allow

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

When I try: nslookup <name_in_network> <server_ip_address> it always times out with no result returned.

Pre ASA I was able to have the remote server ip address in the domain forward list and it worked well. That's not possible or resolving direct with the DNS server.

Thanks again,

Chris

jagraaga · ‎06-07-2016

Chris,

From the output of packet-tracer it seems that ASA is allowing the traffic.

Are you able to ping the DNS server?

Jagrati

ValbrunaUK · ‎06-07-2016

Hi,

I cannot ping the DNS server or anything on the inside from a remote machine (on the inside interface).

I can connect remotely to the DNS server and other services it handles from the same remote machine.

Thanks again,

Chris

jagraaga · ‎06-07-2016

Hi Chris,

Instead of a ping try doing a tracert on te DNS server IP from the command prompt to see where it ends.

Jagrati

ValbrunaUK · ‎06-08-2016

Hi Jagrati,

Thank for all your help. I've done a couple of tracert's to see what's happening. From the network topology my route should go from our remote network and hit the local gateway and then onto the firewall and into the local network.

When I ping the first gateway I get 6 successful hops.

When I ping the firewall I get 8 successful hops.

When I ping the DNS server it fails on the 8th hop.

On the "inside" ACL I allow tracert and ping from any source to destination.

I hope this helps.

Chris

jagraaga · ‎06-15-2016

Hi Chris,

So were you able to find out the cause of the issue.

Do you have any more questions regarding this?

Regards,

Jagrati

ValbrunaUK · ‎06-15-2016

Hi Jagrati,

At the moment I've had little time to plug away with this. So it is still unresolved.

I'm quite at a loss as to where to look but grateful for your help.

Unfortunately I'm not very good with ASA firewalls but something is making me think policy rules for some reason. I just can't see that being the case though.

Still scratching my head.

Thanks,

Chris