0

I have an ASA 5515 as my internet firewall. It is not allowing me to do NS Lookups from any internal DNS Servers, or clients. If I set my nslookup server to 8.8.8.8 (google DNS), I can resolve public DNS names. If I am on the internal network, breaks.

I have the following in my ASA: 

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 8192
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect icmp 
  inspect dns preset_dns_map

Any ideas as to why its not working?

user1955162
  • 296
  • 3
  • 16
  • 2
    More likely the breakage is related to an ACL or NAT problem.. do you have an internal DNS server that's handling the DNS requests for the internal network now? – Shane Madden Oct 27 '14 at 17:49
  • My internal DNS server can resolve its records, but it can not forward lookups. When I am in my network, I can not lookup external hosts either. Im using 4.2.2.1 and 8.8.8.8 DNS servers from NSLOOKUP – user1955162 Oct 27 '14 at 19:34
  • 1
    I'd guess that's a problem with firewall ACLs, then - can you provide the relevant config for those - probably an inbound rule set on the inside interface? – Shane Madden Oct 27 '14 at 20:30
  • It turned out to be a NAT inside, outside DYNAMIC problem. Not sure how that rule disappeared on the reboot, but I guess it did. All traffic was being blocked. Thanks you the input :) – user1955162 Oct 31 '14 at 03:05

1 Answers1

1

As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.

Shoaib Alam
  • 11
  • 1