Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations dencom on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What ACL will allow DNS through the ASA?

Status
Not open for further replies.
professorguy

professorguy

MIS
Jan 17, 2007
39
US
I have 2 internal caching DNS machines which must get DNS requests out. I did this:

..
access-list acl_outside extended permit udp any host 192.168.7.250 eq domain
access-list acl_outside extended permit udp any host 192.168.7.251 eq domain
...
access-list acl_inside extended permit udp host 192.168.7.250 any eq domain
access-list acl_inside extended permit udp host 192.168.7.251 any eq domain
...
And there's also the standard policy_map stuff:
inspect dns map1 (with parameter message-length max 512).

But there are DNS problems on the inside: I can visit websites that my internal DNS servers have cached, but new ones can be seen only by IP.


What else needs to happen?
 
Sort by date Sort by votes
You need to post your whole config to see what is going on, statics and the rest of the ACL's matter.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I have no configuration for DNS traffic to pass, I'm starting from scratch so nothing is currently in the config.

What must be in the config for it to work. The above is my guess, but since you mention statics, I guess there's more required.

What is required? What does it look like?

 
Upvote 0 Downvote
So my 2 DNS machines must each have a public IP address from my tiny, precious pool of public IPs to work? This seems wrong to me. The only reason I say this is we currently have a PIX firewall and our current DNS works fine and we don't currently use up 2 public IPs to accomplish it.

In fact, in our current setup, I see the lines which allow egress (on acl_inside), but don't see any rules for ingress (on acl_outside) which deals with DNS. I thought that stateful inspection would allow responses automatically, but DNS is UDP so that's not true, is it?

And yet we have some systems which allow 3389 and those do have public IPs applied with static (inside,outside) ... But nothing analogous for DNS. Does the PIX do something fundamentally different than the ASA when dealing with DNS?
 
Upvote 0 Downvote
So your DNS servers only serve internal clients? If so, then no you do not need to use any public IPs. You will just have to allow that traffic in the inside interface.
The stateful inspection will watch UDP traffic and go by source and destination IP.

To have any 2 servers of the same service available from the outside world you need 2 IPs. There is no way around it with just the firewall.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
761
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
187
tklamb
tklamb
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
214
iggsterman
iggsterman
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
535
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
846
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top