Announcement

Collapse
No announcement yet.

Web server in DMZ cannot access external DNS through ASA5510

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web server in DMZ cannot access external DNS through ASA5510

    (ASA 5510)

    I have a web server that everyone can reach from externally, but I can not browse from it to the web unless I use IPs. DNS does not work. I have the DNS on the server pointing to my ISPs DNS servers.

    Is there a certain port I have to open on the outside or DMZ port to allow access to external DNS servers?
    Thank you,

    Marc

  • #2
    Re: Web server in DMZ cannot access external DNS through ASA5510

    Is there an access list bound to the DMZ interface?

    Try something like

    access-list dmz_to_outside permit udp host 192.168.0.1 host 1.1.1.1 eq 53
    access-list dmz_to_outside permit udp host 192.168.0.1 host 1.1.1.2 eq 53

    where 192.168.0.1 is the IP address of your webserver and 1.1.1.1 and 1.1.1.2 are the ISPs DNS servers. This should allow DNS lookups (which are udp) to those servers. I assume you already have an acl because this should work by "default" because DMZ is higher security than the outside.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Web server in DMZ cannot access external DNS through ASA5510

      That worked.....nslookup works fine. IE, on the other hand can not resolve. I know we are beyond the ASA now, but if anyone has any suggestions......

      rep points awarded
      Thank you,

      Marc

      Comment


      • #4
        Re: Web server in DMZ cannot access external DNS through ASA5510

        Is IE Enhanced Security affecting it by any chance?
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Web server in DMZ cannot access external DNS through ASA5510

          I don't think so. Google is in trusted sites. I can get to google and yahoo if I type the IP into the address bar, but not by typing www.google.com
          Thank you,

          Marc

          Comment


          • #6
            Re: Web server in DMZ cannot access external DNS through ASA5510

            Hmm.

            Have you got the fixup for DNS setup with 512 bytes?

            Something along this line?

            Code:
            policy-map type inspect dns preset_dns_map
             parameters
              message-length maximum 512
            policy-map global_policy
             class inspection_default
              inspect dns preset_dns_map
            maybe change the max byte to 1024 or something like that?

            EDIT:

            This
            http://www.cisco.com/en/US/docs/secu...html#wp1883549
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Web server in DMZ cannot access external DNS through ASA5510

              Good call Andy. It was set to 512. I set it to 1024 and still no go.
              Thank you,

              Marc

              Comment


              • #8
                Re: Web server in DMZ cannot access external DNS through ASA5510

                Hmm
                I think we need to get some logging going.
                Can you load up ASDM or maybe set the syslog going?

                May be worth trying firefox on that box too just in case? (Maybe even a different profile?)
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Web server in DMZ cannot access external DNS through ASA5510

                  ...I have ASDM installed (flash shows asdm-502) and it worked flawlessly...I upgraded the IOS a couple weeks back so that I could do failover between to ISPs (Cisco tech helped) I haven't used ASDM since before that and now it doesn't work. "ASDM Launcher supports ASDM5.0 or higher versions only"

                  not to get sidetracked
                  Thank you,

                  Marc

                  Comment


                  • #10
                    Re: Web server in DMZ cannot access external DNS through ASA5510

                    I would get the latest version of ASDM for that software as well.
                    Can you setup the syslog?
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: Web server in DMZ cannot access external DNS through ASA5510

                      I updated asdm and can see the syslog...seems overwelming

                      What should I look for? I tried accessing the Internet while the log was going and did not see any errors.

                      In the ASMD program, I created a new DNS server Group and put two the the known name servers in it. It also shows that DNS is enabled on that interface. Does DNS have to be enabled on both the DMZ and Outside interface?
                      Last edited by tnshurtm; 13th March 2009, 20:02.
                      Thank you,

                      Marc

                      Comment


                      • #12
                        Re: Web server in DMZ cannot access external DNS through ASA5510

                        The ASA can give out DNS server IP addresses as part of DHCP but there is no requirement to enable it anywhere. DNS traffic should be allowed assuming the rules are there (by default it is allowed until you bind an acl to the interface your traffic is initially hitting).
                        The issue must be elsewhere. You stated below (or above) that nslookup works. Did you try firefox or another profile? Also check for proxy servers.
                        If nslookup works then DNS lookups are working. If you can browse to an IP address then "internet" access is working so it seems more likely IE is being restricted somehow.
                        What page do you see when it fails?
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment

                        Working...
                        X