How to make ASA use DNS server via L2L-VPN?

frank.poehner · ‎03-30-2011

Hello,

I have a ASA5505 in a branch connected to the head office via L2L-VPN. The clients at the inside of the ASA can use the DNS servers in the head office through the VPN tunnel. The ASA is configured to use these DNS servers, too.

dns domain-lookup outside
dns domain-lookup ADM
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.17.6.225
name-server 172.17.6.227
domain-name some.name

management-access ADM

The VPN ist connecting the networks behind interfaces inside and ADM to the network at the head office.

When the ASA is resolving a hostname it tires to use these servers. But it does via outside interface.

gw700# ping heise.de
Mar 30 2011 07:58:49: %ASA-6-302015: Built outbound UDP connection 35360 for outside:172.17.6.225/53 (172.17.6.225/53) to identity:117.135.114.78/2117 (117.135.114.78/2117)
DNS: get global group DefaultDNS handle 2336f5f
DNS: Resolve request for 'heise.de' group DefaultDNS
DNS: No response
DNS: No response
Mar 30 2011 07:58:55: %ASA-6-302015: Built outbound UDP connection 35361 for outside:172.17.6.227/53 (172.17.6.227/53) to identity:117.135.114.78/21241 (117.135.114.78/21241)
DNS: No response
DNS: No response
DNS: No response
DNS: No response
Mar 30 2011 07:59:01: %ASA-6-302015: Built outbound UDP connection 35362 for outside:172.17.6.225/53 (172.17.6.225/53) to identity:117.135.114.78/32527 (117.135.114.78/32527)
DNS: get global group DefaultDNS handle 2336f5f
DNS: Resolve request for 'heise.de' group DefaultDNS
DNS: No response
DNS: No response
Mar 30 2011 07:59:07: %ASA-6-302015: Built outbound UDP connection 35364 for outside:172.17.6.227/53 (172.17.6.227/53) to identity:117.135.114.78/30575 (117.135.114.78/30575)
DNS: No response
DNS: No response
DNS: No response
DNS: No response
^
ERROR: % Invalid Hostname

How to I make the ASA use the DNS servers via VPN tunnel?

I would like to do something like "logging host ADM 172.18.0.193" or "ntp server 172.18.0.192 source ADM" but with name-servers. But how?

Thanks in advance!

Frank

frank.poehner · ‎04-01-2011

Hello again,

I give you some background information. What I really want to do is the following:

Clients behind remote ASA shall get their IP addresses assigned dynamically by the remote ASA andthe remote ASA shall dynamically update the DNS servers in the head office.

dhcp-client update dns server both
dhcpd address 172.31.7.1-172.31.7.125 inside
dhcpd dns 172.17.6.227 172.17.6.225 interface inside
dhcpd lease 300 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain some.name interface inside
dhcpd update dns both override interface inside
dhcpd enable inside

DHCPD is working. The IPs get assigned and the ASA is trying to update the DNS RRs. But updating fails as the DNS servers cannot be reached.

Is this a thing CISCO has forgotten to implement? I am having an open TAC service request for this issue since beginning of March. Can someone at CISCO please give a statement on this?

By the way ASA OS is 8.3.

If I have my DNS servers reachable without a VPN tunnel, everything works as expected. The DNS RRs are getting updated. But this is not realizable in the real installation in the remote location.

Best regards,

Frank

KAubuchon · ‎01-05-2012

(Bump)

I have this same exact scenario! I'd love this to be fixed, or a solution provided.

Thanks,

Kevin