I have a DNS server behind a Cisco ASA firewall. The Cisco firewall is performing NAT. When inside the network, I can NSLOOKUP directly to the server. When the client is external, requests time out.
Assuming the internal IP Address of the DNS Server is 10.0.0.10 and the public IP Address is 1.2.3.4:
My relevant configs:
object network NS1_SERVVE_COM_dns
host 10.0.0.10
access-list outside_in extended permit tcp any object NS1_SERVVE_COM_dns eq domain
object network NS1_SERVVE_COM_dns
nat (inside,outside) static 1.2.3.4 service tcp domain domain
Also I entered the following to allow Active Directory to resolve internet names:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 8192
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
I have tried to change TCP to UDP, but the result is the same. Any thoughts?
firewall# packet-tracer input outside tcp 4.2.2.1 domain 1.2.3.4 domai$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NS1_SERVVE_COM_dns
nat (inside,outside) static 1.2.3.4 service tcp domain domain
Additional Information:
NAT divert to egress interface inside
Untranslate 1.2.3.4/53 to 10.0.0.10/53
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any object NS1_SERVVE_COM_dns eq domain
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NS1_SERVVE_COM_dns
nat (inside,outside) static 1.2.3.4 service tcp domain domain
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7845414, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
0 Answers