cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2918
Views
0
Helpful
4
Replies

DNS Request Blocking by ASA 5510

Zargham Haider
Level 1
Level 1

Dear All

I have two separate links terminates on two different ASA 5510 (F11 and F13). behind these firewalls i have one router only to route traffic/switch traffic between two hops (Firewall Inside IPs). Behind this router i have two different VLANs ...VLAN 11 and VALN 13. my primary VLAN is VLAN 11 as my all servers are in this VLAN and its gateway is Firewall F11. and VLAN 13 is only for guest users and its gateway is Firewall F13. Now..... i have configured DHCP relay on F13 to point DHCP server in VLAN11. my all clients are getting IPs from DHCP server (from VLAN13 scope) with option of F13 gateway. On the other hand VLAN11 clients are also getting IPs from same DHCP (from VLAN11 scope). my router's default gateway is F11. Now the scenario is:

F11 has two LAN interfaces

inside11 and inside13

F13 has also two LAN interfaces

winside13 and winside11

all interfaces are EXEMPTED by rule

VLAN11 client goes to router and router sent the traffic to F11.

VLAN13 Client goes directly to F13.

everything was perfect and fine. for some reason my DNS query stop crossing Firewalls. means in cisco router when every i switch traffic's default gateway to F13, my both VLANs stop browsing. before it switches the gateway and my all traffic shifts from F11 to F13. but now when every i switch default gateway in router to point F13, it stop browsing. tracert workis perfectly. 

MY QUESTION:

1. y DNS query does not cross FIREWALLS.....

2. nslookup gives DNS error

 

Please suggest

1 Accepted Solution

Accepted Solutions

Hi @Zargham Haider

It is expected that Firewall block everything that is not explicitly allowed including DNS.

 Where you DNS stay on the network? Does firewall has rule allowing it?

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

4 Replies 4

Hi @Zargham Haider

It is expected that Firewall block everything that is not explicitly allowed including DNS.

 Where you DNS stay on the network? Does firewall has rule allowing it?

 

-If I helped you somehow, please, rate it as useful.-

Thanks for reply  Flavio Miranda

I have configured rules to allow DNS traffic. means i allowed port 53 on tcp and udp both. and since i have two firewall having 4 interfaces so i allowed port 53 on all interfaces. before it was working fine....i dont have remembered that i have changed any rule. my packet trace also reflects that firewall allows traffic with port 53. is it necessary to configure dns domain-lookup ? i also did it against inside interface.

No. Domain lookup would be required if cisco device were respond query.

 What about the DNS server? Do you have one on your network?

 Does the DNS server know how to reply ? 

Considering you have a server for this service, maybe it lost some of its route.

Did you check?

 

-If I helped you somehow, please, rate it as useful.-

 HI  Flavio Miranda

It was really nightmare for me. even though i carefully checked all ACL and i didnt find any ACL blocking of DNS request. after the days i figured it out the actual reason. actually the Firewall F13, has two interfaces winside and inside. winside was properly configured with "DNS Translation". when the F13 received Vlan11 packet it was not able to translate DNS replies. that is why all non-DNS packets were going out. when i enable "Translate the DNS Replies that matches the Translation Rules" it start resolving the replies. now Firewall in translating both VLANs DNS replies.

THanks for your help.