Running on a ASA 5520, I can not figure out how to allow external DNS
request.

Did a NAT for 53 udp and tcp and created a rule for this.

But it does not allow the traffic.

The internal DNS is btw working.

What is the best way to do this?

Regards, Lars.

"Lars Bonnesen" <none@none.æøå> wrote in message
news:443661e4$0$154$edfadb0f@dread16.news.tele.dk. ..
Can you show us the config? Are you getting hits on the acl? Is the DNS
server seeing the inbound traffic? Can it talk to the outside world?

Chris.

"chris" <mandrake440@nospam.hotmailDOTcom> skrev i en meddelelse
news:Wxmcnb9xPtOFDavZSa8jmw@karoo.co.uk...
Used ASDM 5.0 for to config it.

I tried this (show running config):

dns retries 2
dns timeout 2
dns domain-lookup outside
dns domain-lookup inside
dns name-server a.b.c.d

(a.b.c.d is internal DNS server)

It did not work.

Then tried:

static (inside,outside) tcp q.w.e.r domain a.b.c.d domain netmask
255.255.255.255
static (inside,outside) udp q.w.e.r domain a.b.c.d domain netmask
255.255.255.255

q.w.e.r is the public IP of the internal DNS.

Also did a security policy, but it does not show up in the access list.

No.

Yes. The problem is the config on the Cisco.

Regards, Lars.

"Lars Bonnesen" <none@none.æøå> wrote in message
news:4436d391$0$889$edfadb0f@dread14.news.tele.dk. ..
Nothing to do with allowing inbound DNS queries to your server!

If you are port forwarding from your external IP address to the DNS server
then I think that you are supposed to use the keyword "interface" rather
than the external IP address.

If it doesn't show up in the access list then the chances are that it isn't
in there, therefore no traffic to your server!

"chris" <mandrake440@nospam.hotmailDOTcom> skrev i en meddelelse
news:3FqdnZi7S7DNfqvZSa8jmw@karoo.co.uk...
What is it used for then?

I have severel IP addresses. If I use "interface" - how can the Cisco then
know which IP address to use?

You are right - but why does it not show up? The policy is created in ASDM
and I did an "apply" - and I still can see them in ASDM. Could it be that
the Cisco does not allow it to be created because some proxy is doing the
DNS job?

Regards, Lars.

"Lars Bonnesen" <none@none.æøå> skrev i en meddelelse
news:44376350$0$849$edfadb0f@dread14.news.tele.dk. ..
Sorry - it is in fact listed in the access list:

access-list OUTSIDEIN extended permit tcp any eq domain host z.x.c.v eq
domain
access-list OUTSIDEIN extended permit udp any eq domain host z.x.c.v eq
domain

But is it listed with the public IP - I was looking for a private IP,
because the policy in ASDM was created from any outside to localIP inside.

Why isn't it working?

Regards, Lars.

"Lars Bonnesen" <none@none.æøå> wrote in message
news:44376350$0$849$edfadb0f@dread14.news.tele.dk. ..

DNS resolution for the Pix.




Becuase you are specifying the *internal* IP address in the static. The
"interface" keyword is for when you are port forwarding from the *external*
interface IP address.

ie. if I have a web server on 192.168.10.1 and a mail server on 192.168.10.2
then I might use ..

static (inside,outside) tcp interface 80 192.168.10.1 80 netmask
255.255.255.255

static (inside,outside) tcp interface 25 192.168.10.2 25 netmask
255.255.255.255

Requets to the external IP address on port 80 would go to .1 and requests to
the same external IP address on port 25 would go to .2

Chris.

Because traffic from the outside will be sent to the public IP, not the
private one!




Maybe the IP's are wrong? Maybe the DNS server isn't set up to accept
external queries? Maybe the access list isn't applied to the interface?

You really need to look at the logging on the firewall when you try external
access to the DNS server. if traffic is being dropped by the ACL then you'll
see that in the logs.

What's the IP address of your external interface?

Chris.

"chris" <mandrake440@nospam.hotmailDOTcom> skrev i en meddelelse
news:lJecnbt9h-sR56rZSa8jmw@karoo.co.uk...
My god, how dumb I am.... I didn't allow outgoing DNS lookup to that address
from the LAN I am sitting on (another one). The Cisco config is working
correctly.

Sorry for the inconvienience and thank you for trying...

"Lars Bonnesen" <none@none.æøå> wrote in message
news:44378374$0$914$edfadb0f@dread14.news.tele.dk. ..
Glad to hear that it's working. The answer is usually something simple ;-)

Chris.