DNS query from outside to internal, public DNS server

Discussion in 'Cisco' started by Lars Bonnesen, Apr 7, 2006.

  1. Running on a ASA 5520, I can not figure out how to allow external DNS
    request.

    Did a NAT for 53 udp and tcp and created a rule for this.

    But it does not allow the traffic.

    The internal DNS is btw working.

    What is the best way to do this?

    Regards, Lars.
     
    Lars Bonnesen, Apr 7, 2006
    #1
    1. Advertisements

  2. Lars Bonnesen

    chris Guest

    Can you show us the config? Are you getting hits on the acl? Is the DNS
    server seeing the inbound traffic? Can it talk to the outside world?

    Chris.
     
    chris, Apr 7, 2006
    #2
    1. Advertisements

  3. Used ASDM 5.0 for to config it.

    I tried this (show running config):

    dns retries 2
    dns timeout 2
    dns domain-lookup outside
    dns domain-lookup inside
    dns name-server a.b.c.d

    (a.b.c.d is internal DNS server)

    It did not work.

    Then tried:

    static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
    255.255.255.255
    static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
    255.255.255.255

    q.w.e.r is the public IP of the internal DNS.

    Also did a security policy, but it does not show up in the access list.
    Yes. The problem is the config on the Cisco.

    Regards, Lars.
     
    Lars Bonnesen, Apr 7, 2006
    #3
  4. Lars Bonnesen

    chris Guest

    Nothing to do with allowing inbound DNS queries to your server!
    If you are port forwarding from your external IP address to the DNS server
    then I think that you are supposed to use the keyword "interface" rather
    than the external IP address.
    If it doesn't show up in the access list then the chances are that it isn't
    in there, therefore no traffic to your server!
     
    chris, Apr 7, 2006
    #4
  5. What is it used for then?
    I have severel IP addresses. If I use "interface" - how can the Cisco then
    know which IP address to use?
    You are right - but why does it not show up? The policy is created in ASDM
    and I did an "apply" - and I still can see them in ASDM. Could it be that
    the Cisco does not allow it to be created because some proxy is doing the
    DNS job?

    Regards, Lars.
     
    Lars Bonnesen, Apr 8, 2006
    #5
  6. Sorry - it is in fact listed in the access list:

    access-list OUTSIDEIN extended permit tcp any eq domain host z.x.c.v eq
    domain
    access-list OUTSIDEIN extended permit udp any eq domain host z.x.c.v eq
    domain

    But is it listed with the public IP - I was looking for a private IP,
    because the policy in ASDM was created from any outside to localIP inside.

    Why isn't it working?

    Regards, Lars.
     
    Lars Bonnesen, Apr 8, 2006
    #6
  7. Lars Bonnesen

    chris Guest


    DNS resolution for the Pix.



    Becuase you are specifying the *internal* IP address in the static. The
    "interface" keyword is for when you are port forwarding from the *external*
    interface IP address.

    ie. if I have a web server on 192.168.10.1 and a mail server on 192.168.10.2
    then I might use ..

    static (inside,outside) tcp interface 80 192.168.10.1 80 netmask
    255.255.255.255

    static (inside,outside) tcp interface 25 192.168.10.2 25 netmask
    255.255.255.255

    Requets to the external IP address on port 80 would go to .1 and requests to
    the same external IP address on port 25 would go to .2

    Chris.
     
    chris, Apr 8, 2006
    #7
  8. Lars Bonnesen

    chris Guest

    Because traffic from the outside will be sent to the public IP, not the
    private one!



    Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept
    external queries? Maybe the access list isn't applied to the interface?

    You really need to look at the logging on the firewall when you try external
    access to the DNS server. if traffic is being dropped by the ACL then you'll
    see that in the logs.

    What's the IP address of your external interface?

    Chris.
     
    chris, Apr 8, 2006
    #8
  9. My god, how dumb I am.... I didn't allow outgoing DNS lookup to that address
    from the LAN I am sitting on (another one). The Cisco config is working
    correctly.

    Sorry for the inconvienience and thank you for trying...
     
    Lars Bonnesen, Apr 8, 2006
    #9
  10. Lars Bonnesen

    chris Guest

    Glad to hear that it's working. The answer is usually something simple ;-)

    Chris.
     
    chris, Apr 8, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.