Ryfujk

What does it mean that physics no longer uses mechanical models to describe phenomena?

My mentor says to set image to Fine instead of RAW — how is this different from JPG?

How can I save and copy a screenhot at the same time?

Test print coming out spongy

In musical terms, what properties are varied by the human voice to produce different words / syllables?

I can't produce songs

The answer of a series with complex variable analysis

Wrapping text with mathclap

I got rid of Mac OSX and replaced it with linux but now I can't change it back to OSX or windows

Mounting TV on a weird wall that has some material between the drywall and stud

Where is the Next Backup Size entry on iOS 12?

Would color changing eyes affect vision?

Should a wizard buy fine inks every time he want to copy spells into his spellbook?

Tannaka duality for semisimple groups

Sally's older brother

Special flights

Simple Http Server

Weaponising the Grasp-at-a-Distance spell

Why is std::move not [[nodiscard]] in C++20?

Caught masturbating at work

Is there hard evidence that the grant peer review system performs significantly better than random?

AppleTVs create a chatty alternate WiFi network

Why shouldn't this prove the Prime Number Theorem?

Is there public access to the Meteor Crater in Arizona?

Cisco ASA not allowing DNS traffic to pass?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

0

I have an ASA 5515 as my internet firewall. It is not allowing me to do NS Lookups from any internal DNS Servers, or clients. If I set my nslookup server to 8.8.8.8 (google DNS), I can resolve public DNS names. If I am on the internal network, breaks.

I have the following in my ASA:

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 8192

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect pptp 

  inspect ipsec-pass-thru 

  inspect icmp 

  inspect dns preset_dns_map 

Any ideas as to why its not working?

domain-name-system cisco-asa internal-dns

share|improve this question

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

bumped to the homepage by Community♦ 2 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  More likely the breakage is related to an ACL or NAT problem.. do you have an internal DNS server that's handling the DNS requests for the internal network now?
  
  – Shane Madden♦
  Oct 27 '14 at 17:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My internal DNS server can resolve its records, but it can not forward lookups. When I am in my network, I can not lookup external hosts either. Im using 4.2.2.1 and 8.8.8.8 DNS servers from NSLOOKUP
  
  – user1955162
  Oct 27 '14 at 19:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'd guess that's a problem with firewall ACLs, then - can you provide the relevant config for those - probably an inbound rule set on the inside interface?
  
  – Shane Madden♦
  Oct 27 '14 at 20:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It turned out to be a NAT inside, outside DYNAMIC problem. Not sure how that rule disappeared on the reboot, but I guess it did. All traffic was being blocked. Thanks you the input :)
  
  – user1955162
  Oct 31 '14 at 3:05
  

  
  
  
  

add a comment | 

0

I have an ASA 5515 as my internet firewall. It is not allowing me to do NS Lookups from any internal DNS Servers, or clients. If I set my nslookup server to 8.8.8.8 (google DNS), I can resolve public DNS names. If I am on the internal network, breaks.

I have the following in my ASA:

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 8192

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect pptp 

  inspect ipsec-pass-thru 

  inspect icmp 

  inspect dns preset_dns_map 

Any ideas as to why its not working?

domain-name-system cisco-asa internal-dns

share|improve this question

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

bumped to the homepage by Community♦ 2 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  More likely the breakage is related to an ACL or NAT problem.. do you have an internal DNS server that's handling the DNS requests for the internal network now?
  
  – Shane Madden♦
  Oct 27 '14 at 17:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My internal DNS server can resolve its records, but it can not forward lookups. When I am in my network, I can not lookup external hosts either. Im using 4.2.2.1 and 8.8.8.8 DNS servers from NSLOOKUP
  
  – user1955162
  Oct 27 '14 at 19:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'd guess that's a problem with firewall ACLs, then - can you provide the relevant config for those - probably an inbound rule set on the inside interface?
  
  – Shane Madden♦
  Oct 27 '14 at 20:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It turned out to be a NAT inside, outside DYNAMIC problem. Not sure how that rule disappeared on the reboot, but I guess it did. All traffic was being blocked. Thanks you the input :)
  
  – user1955162
  Oct 31 '14 at 3:05
  

  
  
  
  

add a comment | 

I have an ASA 5515 as my internet firewall. It is not allowing me to do NS Lookups from any internal DNS Servers, or clients. If I set my nslookup server to 8.8.8.8 (google DNS), I can resolve public DNS names. If I am on the internal network, breaks.

I have the following in my ASA:

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 8192

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect pptp 

  inspect ipsec-pass-thru 

  inspect icmp 

  inspect dns preset_dns_map 

Any ideas as to why its not working?

domain-name-system cisco-asa internal-dns

share|improve this question

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 8192

policy-map global_policy

 class inspection_default

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect ip-options 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 

  inspect pptp 

  inspect ipsec-pass-thru 

  inspect icmp 

  inspect dns preset_dns_map 

share|improve this question

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

share|improve this question

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

asked Oct 27 '14 at 17:47

user1955162user1955162

186211

1 Answer
1

active

oldest

votes

0

As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.

share|improve this answer

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f640019%2fcisco-asa-not-allowing-dns-traffic-to-pass%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.

share|improve this answer

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

add a comment | 

0

As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.

share|improve this answer

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

add a comment | 

As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.

share|improve this answer

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

share|improve this answer

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1

answered Sep 14 '18 at 17:29

Shoaib AlamShoaib Alam

1