Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA5505 - Ping Hostname

Posted on 2009-04-08
10
Medium Priority
?
4,434 Views
Last Modified: 2012-05-06
Hi,

How do I enable my ASA5505 to ping external hostnames? Pinging IPs is fine. ie.

FW-5505-01# ping www.google.co.uk
                               ^
ERROR: % Invalid Hostname

dns domain-lookup Outside is enabled as well as DNS servers and ISP Domain name.

Thanks.
0
Comment
Question by:MrPrince
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24095073
It should work fine if you have
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server x.x.x.x

you can debug dns queries by entering debug dns 1 or debug dns 2
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24095336
0
 

Author Comment

by:MrPrince
ID: 24100672
My config for that is currently:

dns domain-lookup Outside
dns server-group ISP_DNS_Servers
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 domain-name xxxxxx.net [actual ISP domian name]

Must I use dns server-group DefaultDNS?

Thanks.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24100749
no you don't. what about a debug dns 2? where you able to run this debug?
0
 

Author Comment

by:MrPrince
ID: 24101711
Unit is at home, so will try then and get back.

Thanks.
0
 

Author Comment

by:MrPrince
ID: 24104041
OK, I turned on debugging for DNS and tried a ping again. This is what I got:

FW-5505-01# ping www.google.co.uk
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined
DNS: get global group DefaultDNS handle 1533b4d
                 ^
ERROR: % Invalid Hostname
FW-5505-01# DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined

I then deleted my old DNS Server-Group since it looks like it was looking for DefaultDNS and added a new one in called DefaultDNS and tried again. This is what I got:

DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response

Strange my clients can resolve hostnames but my ASA can't. Here's the relavant section of my outbound ACL concerning DNS.

object-group network ISP_DNS_Servers
 network-object 64.59.114.18 255.255.255.255
 network-object 64.59.114.19 255.255.255.255

access-list Outbound remark Allow DNS
access-list Outbound extended permit udp 10.1.5.0 255.255.255.248 object-group ISP_DNS_Servers eq domain

Points upped. Thanks.
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24109696
I am not sure but it can be an acl blocking traffic. I am running the same dns config on my lab without any problem so I am assuming it is not a config problem.
0
 

Author Comment

by:MrPrince
ID: 24111543
Could it by due to a policy map? My config for that is:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

Is there anything I need to do to my ACLs to allow traffic outbound from the FW itself?
0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 300 total points
ID: 24113747
You can try and remove this policy map in order to see the result although this policy will affect all traffic and you are saying that PCs behind ASA can resolve names correctly. I am assuming that you have not changed default settings for management access ACL and it works fine with default settings. Can you post complete config so we can have a look? Also you can run the packet capture tool and use a network analyzer to see in details what is going on with dns queries originating from the outside interface.
0
 

Author Comment

by:MrPrince
ID: 24130999
Hi, thanks for the info. Problem turned out to be one hop along at the perimeter router. I noticed NAT wasn't properly working so the packets weren't traversing the Internet properly. Fixed the issue and now the FW is ping with IPs and Hostnames.

Im splitting the points since your suggestions did lead to the eventual fix.

Cheers.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question