cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

1171
Views
0
Helpful
3
Replies
Beginner

ASA site to site DNS issues

Thanks in advance for any help

We have an ASA 5510 and setup site to site over IPSec to a remote office with 7 users using a ASA 5505. We used out of the box wizard and everything connects on both sides. I did notice a couple of issues users started saying they were having:

Quick background we enable dhcp on Asa at remote office to pass out ip information. We use the dns server at the main office as the primary

1.  Users at remote office can ping main office but the cannot browse http sites at the main office we host. They can get into file systems with no issue although there is a slight delay

2. Users at main office can not ping IP address of remote office

I am sure this maybe some sort of DNS issue or configuration I am missing. We didn't configure any special ACL or open any ports other than what the wizard did.

Thanks again

Everyone's tags (5)
3 REPLIES 3
Highlighted
Contributor

Re: ASA site to site DNS issues

First step I'd recommend is ensuring both the 5505 and 5510 are on the same firmware.

- Remote office can't access websites hosted at main office.
Are the websites in a DMZ? Is so, odds are the DMZ is not part of the "interesting traffic" ACL for the VPN.

- Main office can't ping remote office.
Do you mean by name, IP, or both? If it can ping by IP but not name, then there is a DNS resolution issue however that doesn't necessarily mean its an issue with your DNS server.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

Re: ASA site to site DNS issues

Thank you for reply

The websites are not on the DMZ if I enter IP address or server name in browser it won't show the site

I can not ping the name or IP address from the main office to remote office.

Highlighted
Contributor

Re: ASA site to site DNS issues

For the remote office, what may be happening here is that the site-to-site VPN setup split-tunnelling. Normally that would still route anything destine for the main office IP subnet over the VPN but I wonder if it assumed port 80/443 out the outside interface by default instead.
That said, with your main site unable to ping the remote site it actually sounds more like an Access Rules issue. Would you take a look at your access rules? There should be one on the outside interface with a source main site internal IPs and destination remote site internal IPs with a permit. I'd like to know if the services are permit any any or if it has a limited number of services (ports) that are allowed.
One other consideration, thinking of your other post as well, since both ends are ASA firewalls accessible via SSH, if you would feel comfortable sending me the show running-configuration from both devices in a private message, I'd be happy to take a look at them. For security reasons, I'd recommend masking IPs and removing the password lines from the config, even if they are encrypted.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.