We help IT Professionals succeed at work.

Cisco-ASA 5505, Basic firewall setup

esasan asked
Medium Priority
Last Modified: 2012-06-22
We have a small network with a Windows server 2008 server, the windows server is network DNS and DHCP server, we used to use a D-Link router for connecting the network to Internet and everything was working fine, in Windows server I had the router as gateway and turned off the DNS and DHCP on router. We replaced the router with  a CISCO-ASA 5505 for better security, But the Internet from office doesn't work, Although I don't want DNS on the firewall but just for test I added the ISP DNS servers to the firewall, then the Internet started working but it act strange, it can connect to some web site but it can not find other sites, it seems like DNS problem, what should I do?
It seems if I don't have DNS on firewall, firewall block my windows server from connecting to remote DNS and if I add the DNS, it somehow conflict with windows DNS and somehow can not resolve some addresses. I don't want any DNS setting on firewall and I just want the firewall let the Windows DNS request through,
Please let me know if you need any more info, I included the Firewall configuration in the code part.
Thank you in advance - Sasan
ASA Version 8.0(4) 
hostname ciscoasa
domain-name disternetdomain.com
enable password XXXXXXXXXXXXX encrypted
passwd XXXXX.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name disternetdomain.com
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Watch Question

Get rid of these:

access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

The asa by default allows all traffic inside>out unless blocked by access lists
I see many issues with the access-group inside command like you are having.

Generally, you don't need to specify internet servers in the asa, so first remove the above access-lists and try.
generally, if the inside hosts point to a dns server in their configuration, whether form dns forwarders in the internal dns server or on their nic configuration,

then the external dns server ip's should not be necessary in the asa.
As long as there are no access-lists blocking outbound traffic, you should be fine.

It is rare you need to open udp port 53 from outside>inside on the asa for this issue.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Before I read your comment, I did following:
1. Removed all DNS entries from ASA.
2. Activate DNS lookup on outside interface,
3. Add an static roots as to ISP Gateway address X.X.X.X and Subnet
after that it seems everything is working fine,  
Thanks for your response,
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.