Solved

Cisco ASA5505 - Ping Hostname

Posted on 2009-04-08
10
3,742 Views
Last Modified: 2012-05-06
Hi,

How do I enable my ASA5505 to ping external hostnames? Pinging IPs is fine. ie.

FW-5505-01# ping www.google.co.uk
                               ^
ERROR: % Invalid Hostname

dns domain-lookup Outside is enabled as well as DNS servers and ISP Domain name.

Thanks.
0
Comment
Question by:MrPrince
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
It should work fine if you have
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server x.x.x.x

you can debug dns queries by entering debug dns 1 or debug dns 2
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0
 

Author Comment

by:MrPrince
Comment Utility
My config for that is currently:

dns domain-lookup Outside
dns server-group ISP_DNS_Servers
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 domain-name xxxxxx.net [actual ISP domian name]

Must I use dns server-group DefaultDNS?

Thanks.
0
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
no you don't. what about a debug dns 2? where you able to run this debug?
0
 

Author Comment

by:MrPrince
Comment Utility
Unit is at home, so will try then and get back.

Thanks.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:MrPrince
Comment Utility
OK, I turned on debugging for DNS and tried a ping again. This is what I got:

FW-5505-01# ping www.google.co.uk
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined
DNS: get global group DefaultDNS handle 1533b4d
                 ^
ERROR: % Invalid Hostname
FW-5505-01# DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined

I then deleted my old DNS Server-Group since it looks like it was looking for DefaultDNS and added a new one in called DefaultDNS and tried again. This is what I got:

DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response

Strange my clients can resolve hostnames but my ASA can't. Here's the relavant section of my outbound ACL concerning DNS.

object-group network ISP_DNS_Servers
 network-object 64.59.114.18 255.255.255.255
 network-object 64.59.114.19 255.255.255.255

access-list Outbound remark Allow DNS
access-list Outbound extended permit udp 10.1.5.0 255.255.255.248 object-group ISP_DNS_Servers eq domain

Points upped. Thanks.
0
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
I am not sure but it can be an acl blocking traffic. I am running the same dns config on my lab without any problem so I am assuming it is not a config problem.
0
 

Author Comment

by:MrPrince
Comment Utility
Could it by due to a policy map? My config for that is:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

Is there anything I need to do to my ACLs to allow traffic outbound from the FW itself?
0
 
LVL 7

Accepted Solution

by:
mitrushi earned 75 total points
Comment Utility
You can try and remove this policy map in order to see the result although this policy will affect all traffic and you are saying that PCs behind ASA can resolve names correctly. I am assuming that you have not changed default settings for management access ACL and it works fine with default settings. Can you post complete config so we can have a look? Also you can run the packet capture tool and use a network analyzer to see in details what is going on with dns queries originating from the outside interface.
0
 

Author Comment

by:MrPrince
Comment Utility
Hi, thanks for the info. Problem turned out to be one hop along at the perimeter router. I noticed NAT wasn't properly working so the packets weren't traversing the Internet properly. Fixed the issue and now the FW is ping with IPs and Hostnames.

Im splitting the points since your suggestions did lead to the eventual fix.

Cheers.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now