Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
3
Replies

DNS ISSUE

Roza12
Level 1
Level 1

‎11-02-2018 03:12 AM - edited ‎03-10-2019 01:07 AM

Hi everyone 
 
 i hope someone can help me with my problem
 
our customer network looks like :
stack core switches ---- routers ---- Firewall --- internet mpls----Firewall---- datacenter
 
in core switches 3 vlans are configured 
1- vlan 16 for it.local
2- vlan 1 for dsvm
3- vlan 17
4- vlan 18 dmz  (new)
 
 they asked me to create new vlan in same way as the other vlans, after that they asked vlan 16 should talk see vlan 18 

what i have configured in firewall :
1- Nat (VIP) port( http and tcp -8080) 
2- ipv4 policy allowed source (all) to destination (VIP)
3- static route for the new range same way as others
4- from the vlans interface to trust interface allowed all -- all 
 
what i achieved is : 
1- i can ping from range vlan 16 to vlan 18 and the same for vlan 18 
2- dns servers for all is in range vlan 16 
10.50.16.31
10.50.16.32
3- i can ping from server in vlan 18 to these dns servers
4- i can telnet port 53 in vlan 18 
 
the problem that i face right now
1- i cannot access any website/page when i use the dns servers although i can ping them 
2- but when i change it to google dns everything is working properly 
but this is not a good plan to keep it in public dns i have tried a lot to figure it out but without hope so can i get some help with that  ?

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

yalbikaw
Cisco Employee
Cisco Employee

‎11-02-2018 04:25 AM

hello :)

 

lets take it from the firewall.

1-now i know you allowed the ip communication but lets see logging,

if it ASA

enable logging and check the dns traffic or if there is any drops it will be logged for you.

2-try to use packet tracer to see the flow if its permitted.

3- packet captures if both options didnt isolate the problem

when you do the pcap make sure to do it for specific traffic and then check exactly what is happening.

 

 

 

0 Helpful

Roza12
Level 1
Level 1
In response to yalbikaw

‎11-02-2018 05:21 AM

Hi 

thanks for your reply

i'm trying to access but i cannot we have some issues with our network 

 

 

 

i can ping , telnet and the two vlans see each others put unknown dns server 

 

what i understood from you the problem maybe with the firewall ??

0 Helpful

yalbikaw
Cisco Employee
Cisco Employee
In response to Roza12

‎11-02-2018 05:28 AM

The traffic is passing through the firewall correct 

that's why I would like to check there and see what is happening 

0 Helpful
Customers Also Viewed These Support Documents