Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
4
Replies

No DNS found error for dynamic URL on ASA SSL Web VPN

jds5
Level 1
Level 1

‎08-17-2021 02:01 AM

Hello

 

We have defined a dynamic URL on SSL web portal and it is greyed out with Cannot find server or DNS Error.

We have  internal DNS defined on our firewall so it is not able to lookup on internet.

URL is https://XXXXX.com/ (this is hosted on internet)

 

Anyone have any idea to solve this problem?

 

Thank you 

 

 

Labels:
0 Helpful
4 Replies 4

jds5
Level 1
Level 1

‎08-18-2021 11:52 PM

 

Hello,

 

In addition, the ASA cannot resolve this URL which is hosted on the internet.

The question would be how can we get the ASA to point to an external DNS?

 

Thanks for your help,

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jds5

‎08-19-2021 02:54 AM

Hi @jds5,

This would be a configuration for you to achieve it:

dns domain-lookup outside
DNS server-group DefaultDNS
 name-server 208.67.222.222

 name-server 208.67.220.220

You need to modify it to reflect your environment (meaning nameif of the interface and prefered DNS servers).

However, please note that this is a global command, so if you use internal DNS servers for some other purpose (you mentioned that you have them), it could mess up things. If they are just configured, and you are not using them, you are fine.

BR,

Milos

0 Helpful

jds5
Level 1
Level 1
In response to Milos_Jovanovic

‎08-19-2021 05:39 AM

Hello Milos,

 

Thank you for your reply.

Indeed, internal DNS servers are used.
In your opinion, can we make internal and external DNS coexist on the same equipment (ASA)?
what is the risk of setting up this type of configuration?

I was told about the smart tunnel but I don't know this type of infra

 

 

 

 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to jds5

‎08-19-2021 12:14 PM

You can add multiple servers in this group, so you have internal DNS servers first, followed by public ones. I haven't tested this behavior, but I would assume that ASA would send all of its requests to first DNS server, and, for as long as it receives replies, it would continue using same server. This way, it would never reach your public server, as I would expect that your internal DNS returns blank reply (and a valid question is why your internal DNS doesn't resolve this public FQDN?), but it would reply.

There is an option to use multiple DNS groups, and to assign it per tunnel-group, but I never tried this. In my understanding, you could define one group (e.g. default one, which is already used) and to assign it globaly. Then you could create another one, by using commands provided above (just change name), and then assign that group to newly created tunnel-group in which you are experiencing issues by using:

ciscoasa(config)# tunnel-group test type webvpn
ciscoasa(config)# tunnel-group test webvpn-attributes
ciscoasa(config-tunnel-webvpn)# dns-group dnsgroup1

As I said, I never used it before, so can't be sure if it will work in this case, but you can try and let us know. You can find reference here.

BR

Milos

0 Helpful
Customers Also Viewed These Support Documents