Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
3
Replies

ASA Same Interface routing DNS is being blocked

jlytle_mds
Level 1
Level 1

‎07-27-2016 06:40 AM - edited ‎03-08-2019 06:47 AM

I have a situation where the network I inherited is using an ASA for the default gateway, instead of a router.  I am trying to add a series of subnets off the inside interface to begin eliminating some VPN connections with point to point connections.  The problem I have is that DNS is being blocked at the far end.

I have added a policy map to bypass stateful inspection of tcp packets.  I have added access rules to allow all IP traffic to and from the remote subnet.  I have set same security traffic to allow intra-interface traffic.  I have added a route that points any remote destined traffic to the interface of the router that is handling that traffic.  At this point, I am not sure what else to try.  When I run packet tracer using UDP and port 53, it shows that the packet should be allowed both directions, and the access rule shows increases in the hit count.

If anyone has any ideas of what to try, please let me know.  IP layout is as follows:

Local network is 10.100.0.0/22.  I have a router connected to the same inside switch that the 10.100 network is attached to, and the gateway is 10.100.0.1 on the firewall, and 172.28.0.1/22 on the router to the remote networks.  The remote networks will all be in the 172.28.0.0/16 network, subnetted by location as I go along.  Far side facing interface of the router is 172.28.0.1, and internal facing interface is 10.100.0.3, so the route statement on the ASA is route inside 172.28.0.0 255.255.0.0 10.100.0.3.  The server that is having the problem accessing DNS back into the local location is located about 2 hours away.  I can log into it using the local administrator access, but NSLookup and ping by name to anything fails.  This server IP is 172.28.5.2, and is located in the 172.28.5.0/26 network.  So I have layer 3 ICMP connectivity to everything, and I can SSH into the far router located with the server, but I cannot get DNS working.

I am completely at a loss.  Please help!

Thank you in advance for all help provided

James W. Lytle

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Ivan Villagomez
Level 1
Level 1

‎11-01-2017 11:03 PM

Hi, any updates in this?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Ivan Villagomez

‎11-02-2017 01:16 AM

Hello,

 

I assume you have the same problem ? I guess the reason this question was not answered was because it was not clear what 'DNS blocked at remote end' actually meant.

If you have the same problem, post the configuration of the ASA...

0 Helpful

paul driver
VIP
VIP

‎11-02-2017 02:48 AM

Hello

Just to review -Not sure i understand your topology -You say you have 172.28.0.1/22  is on the outside interface of the ASA for remote networks, and the server is remote on 172.28.5.0/26 but these two network are in different subnets?

 

Your DNS server which is 10.100.0.3 on the inside of your ASA does this resolve queries?

 

Lasty - i don't understand this statement -" Far side facing interface of the router is 172.28.0.1, and internal facing interface is 10.100.0.3, so the route statement on the ASA is route inside 172.28.0.0 255.255.0.0 10.100.0.".

Can you post a topology diagram of this network with the requested running config of the asa so we can review it

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card