Cisco-ASA 5505, Basic firewall setup

Posted on 2009-02-10
Last Modified: 2012-06-22
We have a small network with a Windows server 2008 server, the windows server is network DNS and DHCP server, we used to use a D-Link router for connecting the network to Internet and everything was working fine, in Windows server I had the router as gateway and turned off the DNS and DHCP on router. We replaced the router with  a CISCO-ASA 5505 for better security, But the Internet from office doesn't work, Although I don't want DNS on the firewall but just for test I added the ISP DNS servers to the firewall, then the Internet started working but it act strange, it can connect to some web site but it can not find other sites, it seems like DNS problem, what should I do?
It seems if I don't have DNS on firewall, firewall block my windows server from connecting to remote DNS and if I add the DNS, it somehow conflict with windows DNS and somehow can not resolve some addresses. I don't want any DNS setting on firewall and I just want the firewall let the Windows DNS request through,
Please let me know if you need any more info, I included the Firewall configuration in the code part.
Thank you in advance - Sasan
ASA Version 8.0(4) 


hostname ciscoasa


enable password XXXXXXXXXXXXX encrypted

passwd XXXXX.2KYOU encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS






access-list inside_access_in extended permit ip any any 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:esasan
    LVL 15

    Accepted Solution

    Get rid of these:

    access-list inside_access_in extended permit ip any any
    access-group inside_access_in in interface inside

    The asa by default allows all traffic inside>out unless blocked by access lists
    I see many issues with the access-group inside command like you are having.

    Generally, you don't need to specify internet servers in the asa, so first remove the above access-lists and try.
    generally, if the inside hosts point to a dns server in their configuration, whether form dns forwarders in the internal dns server or on their nic configuration,

    then the external dns server ip's should not be necessary in the asa.
    As long as there are no access-lists blocking outbound traffic, you should be fine.

    It is rare you need to open udp port 53 from outside>inside on the asa for this issue.

    Author Closing Comment

    Before I read your comment, I did following:
    1. Removed all DNS entries from ASA.
    2. Activate DNS lookup on outside interface,
    3. Add an static roots as to ISP Gateway address X.X.X.X and Subnet
    after that it seems everything is working fine,  
    Thanks for your response,

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now