DNS query from outside to internal, public DNS server

Discussion in 'Cisco' started by Lars Bonnesen, Apr 7, 2006.

  1. Running on a ASA 5520, I can not figure out how to allow external DNS
    request.

    Did a NAT for 53 udp and tcp and created a rule for this.

    But it does not allow the traffic.

    The internal DNS is btw working.

    What is the best way to do this?

    Regards, Lars.
    Lars Bonnesen, Apr 7, 2006
    #1
    1. Advertising

  2. Lars Bonnesen

    chris Guest

    "Lars Bonnesen" <none@none.æøå> wrote in message
    news:443661e4$0$154$...
    > Running on a ASA 5520, I can not figure out how to allow external DNS
    > request.
    >
    > Did a NAT for 53 udp and tcp and created a rule for this.
    >
    > But it does not allow the traffic.
    >
    > The internal DNS is btw working.
    >
    > What is the best way to do this?
    >
    > Regards, Lars.
    >


    Can you show us the config? Are you getting hits on the acl? Is the DNS
    server seeing the inbound traffic? Can it talk to the outside world?

    Chris.
    chris, Apr 7, 2006
    #2
    1. Advertising

  3. "chris" <> skrev i en meddelelse
    news:...
    >
    > Can you show us the config?


    Used ASDM 5.0 for to config it.

    I tried this (show running config):

    dns retries 2
    dns timeout 2
    dns domain-lookup outside
    dns domain-lookup inside
    dns name-server a.b.c.d

    (a.b.c.d is internal DNS server)

    It did not work.

    Then tried:

    static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
    255.255.255.255
    static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
    255.255.255.255

    q.w.e.r is the public IP of the internal DNS.

    Also did a security policy, but it does not show up in the access list.

    > server seeing the inbound traffic?


    No.

    > Can it talk to the outside world?


    Yes. The problem is the config on the Cisco.

    Regards, Lars.
    Lars Bonnesen, Apr 7, 2006
    #3
  4. Lars Bonnesen

    chris Guest

    "Lars Bonnesen" <none@none.æøå> wrote in message
    news:4436d391$0$889$...
    >
    > "chris" <> skrev i en meddelelse
    > news:...
    >>
    >> Can you show us the config?

    >
    > Used ASDM 5.0 for to config it.
    >
    > I tried this (show running config):
    >
    > dns retries 2
    > dns timeout 2
    > dns domain-lookup outside
    > dns domain-lookup inside
    > dns name-server a.b.c.d


    Nothing to do with allowing inbound DNS queries to your server!

    > (a.b.c.d is internal DNS server)
    >
    > It did not work.
    >
    > Then tried:
    >
    > static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
    > 255.255.255.255
    > static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
    > 255.255.255.255
    >
    > q.w.e.r is the public IP of the internal DNS.


    If you are port forwarding from your external IP address to the DNS server
    then I think that you are supposed to use the keyword "interface" rather
    than the external IP address.

    > Also did a security policy, but it does not show up in the access list.
    >


    If it doesn't show up in the access list then the chances are that it isn't
    in there, therefore no traffic to your server!


    >> server seeing the inbound traffic?

    >
    > No.
    >
    >> Can it talk to the outside world?

    >
    > Yes. The problem is the config on the Cisco.
    >
    > Regards, Lars.
    >
    chris, Apr 7, 2006
    #4
  5. "chris" <> skrev i en meddelelse
    news:...
    >> dns retries 2
    >> dns timeout 2
    >> dns domain-lookup outside
    >> dns domain-lookup inside
    >> dns name-server a.b.c.d

    >
    > Nothing to do with allowing inbound DNS queries to your server!


    What is it used for then?

    >> Then tried:
    >>
    >> static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
    >> 255.255.255.255
    >> static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
    >> 255.255.255.255
    >>
    >> q.w.e.r is the public IP of the internal DNS.

    >
    > If you are port forwarding from your external IP address to the DNS server
    > then I think that you are supposed to use the keyword "interface" rather
    > than the external IP address.


    I have severel IP addresses. If I use "interface" - how can the Cisco then
    know which IP address to use?

    > If it doesn't show up in the access list then the chances are that it
    > isn't in there, therefore no traffic to your server!


    You are right - but why does it not show up? The policy is created in ASDM
    and I did an "apply" - and I still can see them in ASDM. Could it be that
    the Cisco does not allow it to be created because some proxy is doing the
    DNS job?

    Regards, Lars.
    Lars Bonnesen, Apr 8, 2006
    #5
  6. "Lars Bonnesen" <none@none.æøå> skrev i en meddelelse
    news:44376350$0$849$...
    >
    > "chris" <> skrev i en meddelelse
    > news:...


    >> If it doesn't show up in the access list then the chances are that it
    >> isn't in there, therefore no traffic to your server!

    >
    > You are right - but why does it not show up? The policy is created in ASDM
    > and I did an "apply" - and I still can see them in ASDM. Could it be that
    > the Cisco does not allow it to be created because some proxy is doing the
    > DNS job?


    Sorry - it is in fact listed in the access list:

    access-list OUTSIDEIN extended permit tcp any eq domain host z.x.c.v eq
    domain
    access-list OUTSIDEIN extended permit udp any eq domain host z.x.c.v eq
    domain

    But is it listed with the public IP - I was looking for a private IP,
    because the policy in ASDM was created from any outside to localIP inside.

    Why isn't it working?

    Regards, Lars.
    Lars Bonnesen, Apr 8, 2006
    #6
  7. Lars Bonnesen

    chris Guest

    "Lars Bonnesen" <none@none.æøå> wrote in message
    news:44376350$0$849$...
    >
    > "chris" <> skrev i en meddelelse
    > news:...
    >>> dns retries 2
    >>> dns timeout 2
    >>> dns domain-lookup outside
    >>> dns domain-lookup inside
    >>> dns name-server a.b.c.d

    >>
    >> Nothing to do with allowing inbound DNS queries to your server!

    >
    > What is it used for then?



    DNS resolution for the Pix.



    >>> Then tried:
    >>>
    >>> static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
    >>> 255.255.255.255
    >>> static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
    >>> 255.255.255.255
    >>>
    >>> q.w.e.r is the public IP of the internal DNS.

    >>
    >> If you are port forwarding from your external IP address to the DNS
    >> server then I think that you are supposed to use the keyword "interface"
    >> rather than the external IP address.

    >
    > I have severel IP addresses. If I use "interface" - how can the Cisco then
    > know which IP address to use?



    Becuase you are specifying the *internal* IP address in the static. The
    "interface" keyword is for when you are port forwarding from the *external*
    interface IP address.

    ie. if I have a web server on 192.168.10.1 and a mail server on 192.168.10.2
    then I might use ..

    static (inside,outside) tcp interface 80 192.168.10.1 80 netmask
    255.255.255.255

    static (inside,outside) tcp interface 25 192.168.10.2 25 netmask
    255.255.255.255

    Requets to the external IP address on port 80 would go to .1 and requests to
    the same external IP address on port 25 would go to .2

    Chris.
    chris, Apr 8, 2006
    #7
  8. Lars Bonnesen

    chris Guest


    > Sorry - it is in fact listed in the access list:
    >
    > access-list OUTSIDEIN extended permit tcp any eq domain host z.x.c.v eq
    > domain
    > access-list OUTSIDEIN extended permit udp any eq domain host z.x.c.v eq
    > domain
    >
    > But is it listed with the public IP - I was looking for a private IP,


    Because traffic from the outside will be sent to the public IP, not the
    private one!



    > because the policy in ASDM was created from any outside to localIP inside.
    >
    > Why isn't it working?



    Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept
    external queries? Maybe the access list isn't applied to the interface?

    You really need to look at the logging on the firewall when you try external
    access to the DNS server. if traffic is being dropped by the ACL then you'll
    see that in the logs.

    What's the IP address of your external interface?

    Chris.
    chris, Apr 8, 2006
    #8
  9. "chris" <> skrev i en meddelelse
    news:...
    > Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept
    > external queries? Maybe the access list isn't applied to the interface?


    My god, how dumb I am.... I didn't allow outgoing DNS lookup to that address
    from the LAN I am sitting on (another one). The Cisco config is working
    correctly.

    Sorry for the inconvienience and thank you for trying...
    Lars Bonnesen, Apr 8, 2006
    #9
  10. Lars Bonnesen

    chris Guest

    "Lars Bonnesen" <none@none.æøå> wrote in message
    news:44378374$0$914$...
    >
    > "chris" <> skrev i en meddelelse
    > news:...
    >> Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept
    >> external queries? Maybe the access list isn't applied to the interface?

    >
    > My god, how dumb I am.... I didn't allow outgoing DNS lookup to that
    > address from the LAN I am sitting on (another one). The Cisco config is
    > working correctly.
    >
    > Sorry for the inconvienience and thank you for trying...
    >


    Glad to hear that it's working. The answer is usually something simple ;-)

    Chris.
    chris, Apr 8, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GeekMarine1972
    Replies:
    1
    Views:
    1,221
    Walter Roberson
    Jan 15, 2005
  2. Replies:
    7
    Views:
    1,213
    chris
    Mar 21, 2006
  3. none
    Replies:
    5
    Views:
    3,145
  4. Replies:
    0
    Views:
    1,329
  5. Jack
    Replies:
    0
    Views:
    650
Loading...

Share This Page