Server DNS behind Cisco ASA - Problem

edilson.silva1 · ‎07-07-2015

Hello all!

I have a DNS Server behind a firewall ASA 5510 Security Plus license | Software Version 7.2(3). Follows information:

DNS Server: 10.253.9.29

External IP: 187.72.231.204

The firewall has been set rules and NAT:

--Rule: (outside interface connected with router 2800)

access-list outside_access_in extended permit object-group tcp-udp any host 10.1.1.204 eq domain

--Rule: (Interface network 10.253.8.0/22)

access-list rede.producao.2_access_in extended permit ip host 10.253.9.29 any

--Nat:

static (rede.producao.2,outside) 10.1.1.204 10.253.9.29 netmask 255.255.255.255 dns

--Policy:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

Follows the flow of data on the network:

Server DNS --> Firewall --> Router 2800 --> Internet

In the firewall there is a NAT: 10.253.9.29 --> 10.1.1.204

In our Internet Router there is a NAT too: 10.1.1.204 --> 187.72.231.204

below the NAT configured in the Internet Router 2800:

ip nat inside source static 10.1.1.204 187.72.231.204

and there is a ACL in the router 2800 to allow:

permit ip host 10.1.1.204 any (6953 matches) - Matches increasing during the tests

--EXTERNAL TESTS

Telnet teste on port 53 works however DNS queries does not work. The following message returns:

PESQUISA: <name company>
REGISTRO: a
SERVIDOR: 187.72.231.204

;; connection timed out; no servers could be reached

(Teste done from http://www.ipok.com.br/)

A test was done from 201.77.219.218 on the IP DNS 187.72.231.204. Packets captured:

CISCO-ASA# show capture edilson detail

6 packets captured
1: 11:49:17.600585 0024.9756.30a0 c47d.4f3b.7ce0 0x0800 83: 201.77.219.218.28137 > 10.1.1.204.53: [udp sum ok] udp 41 (ttl 117, id 8178)
2: 11:49:17.601058 c47d.4f3b.7ce0 0024.9756.30a0 0x0800 83: 10.1.1.204.53 > 201.77.219.218.28137: [udp sum ok] udp 41 (ttl 64, id 18413)
3: 11:49:17.616591 0024.9756.30a0 c47d.4f3b.7ce0 0x0800 91: 201.77.219.218.18154 > 10.1.1.204.53: [udp sum ok] udp 49 (ttl 117, id 8179)
4: 11:49:17.616972 c47d.4f3b.7ce0 0024.9756.30a0 0x0800 247: 10.1.1.204.53 > 201.77.219.218.18154: [udp sum ok] udp 205 (ttl 64, id 18414)
5: 11:49:19.617414 0024.9756.30a0 c47d.4f3b.7ce0 0x0800 91: 201.77.219.218.16386 > 10.1.1.204.53: [udp sum ok] udp 49 (ttl 117, id 8189)
6: 11:49:19.617933 c47d.4f3b.7ce0 0024.9756.30a0 0x0800 247: 10.1.1.204.53 > 201.77.219.218.16386: [udp sum ok] udp 205 (ttl 64, id 18415)

From 201.77.219.218 not work:

C:\Documents and Settings\Administrator>nslookup crystal701.cedrofinances.com.br
187.72.231.204
*** Can't find server name for address 187.72.231.204: Query refused
Server: UnKnown
Address: 187.72.231.204

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

--INTERNAL TESTS

DNS Queries from inside works correctly (from others networks too, only from inside). No problem with DNS Server.

would I be missing some additional configuration for external DNS lookups to work?

Thanks in advance!

edilson.silva1 · ‎08-12-2015

Anybody else?

m.kafka · ‎08-13-2015

Verify on your router:

sh ip nat translation

Verify on your ASA: sh xlat, sh conn, sh local-host

Use filters if your tables are large...

Can you identify translations and connection on both devices?

m.kafka · ‎08-13-2015

I tried and it seems the IP path is OK (wireshark):

No.     Time        Source                Destination           Protocol Length Info
      2 0.289328    187.72.231.204        10.0.0.2              DNS      66     Standard query response 0x6aee Refused

Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Aug 13, 2015 23:42:14.409909000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1439502134.409909000 seconds
    [Time delta from previous captured frame: 0.289328000 seconds]
    [Time delta from previous displayed frame: 0.289328000 seconds]
    [Time since reference or first frame: 0.289328000 seconds]
    Frame Number: 2
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: True]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: AdbBroad_2f:5b:11 (a4:5d:a1:2f:5b:11), Dst: Apple_03:d3:d6 (68:a8:6d:03:d3:d6)
    Destination: Apple_03:d3:d6 (68:a8:6d:03:d3:d6)
        Address: Apple_03:d3:d6 (68:a8:6d:03:d3:d6)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: AdbBroad_2f:5b:11 (a4:5d:a1:2f:5b:11)
        Address: AdbBroad_2f:5b:11 (a4:5d:a1:2f:5b:11)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 187.72.231.204 (187.72.231.204), Dst: 10.0.0.2 (10.0.0.2)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x21c3 (8643)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 47
    Protocol: UDP (17)
    Header checksum: 0xbcdf [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 187.72.231.204 (187.72.231.204)
    Destination: 10.0.0.2 (10.0.0.2)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: domain (53), Dst Port: 55102 (55102)
    Source Port: domain (53)
    Destination Port: 55102 (55102)
    Length: 32
    Checksum: 0xa2f5 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [Stream index: 0]
Domain Name System (response)
    [Request In: 1]
    [Time: 0.289328000 seconds]
    Transaction ID: 0x6aee
    Flags: 0x8105 Standard query response, Refused
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0101 = Reply code: Refused (5)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        orf.at: type A, class IN
            Name: orf.at
            [Name Length: 6]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)

You might want to take look in your resolver policy...