Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4555
  • Last Modified:

Cisco ASA5505 - Ping Hostname

Hi,

How do I enable my ASA5505 to ping external hostnames? Pinging IPs is fine. ie.

FW-5505-01# ping www.google.co.uk
                               ^
ERROR: % Invalid Hostname

dns domain-lookup Outside is enabled as well as DNS servers and ISP Domain name.

Thanks.
0
MrPrince
Asked:
MrPrince
  • 5
  • 4
1 Solution
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
It should work fine if you have
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server x.x.x.x

you can debug dns queries by entering debug dns 1 or debug dns 2
0
 
Pete LongTechnical ConsultantCommented:
0
 
MrPrinceAuthor Commented:
My config for that is currently:

dns domain-lookup Outside
dns server-group ISP_DNS_Servers
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 domain-name xxxxxx.net [actual ISP domian name]

Must I use dns server-group DefaultDNS?

Thanks.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
no you don't. what about a debug dns 2? where you able to run this debug?
0
 
MrPrinceAuthor Commented:
Unit is at home, so will try then and get back.

Thanks.
0
 
MrPrinceAuthor Commented:
OK, I turned on debugging for DNS and tried a ping again. This is what I got:

FW-5505-01# ping www.google.co.uk
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined
DNS: get global group DefaultDNS handle 1533b4d
                 ^
ERROR: % Invalid Hostname
FW-5505-01# DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined

I then deleted my old DNS Server-Group since it looks like it was looking for DefaultDNS and added a new one in called DefaultDNS and tried again. This is what I got:

DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response

Strange my clients can resolve hostnames but my ASA can't. Here's the relavant section of my outbound ACL concerning DNS.

object-group network ISP_DNS_Servers
 network-object 64.59.114.18 255.255.255.255
 network-object 64.59.114.19 255.255.255.255

access-list Outbound remark Allow DNS
access-list Outbound extended permit udp 10.1.5.0 255.255.255.248 object-group ISP_DNS_Servers eq domain

Points upped. Thanks.
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I am not sure but it can be an acl blocking traffic. I am running the same dns config on my lab without any problem so I am assuming it is not a config problem.
0
 
MrPrinceAuthor Commented:
Could it by due to a policy map? My config for that is:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

Is there anything I need to do to my ACLs to allow traffic outbound from the FW itself?
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
You can try and remove this policy map in order to see the result although this policy will affect all traffic and you are saying that PCs behind ASA can resolve names correctly. I am assuming that you have not changed default settings for management access ACL and it works fine with default settings. Can you post complete config so we can have a look? Also you can run the packet capture tool and use a network analyzer to see in details what is going on with dns queries originating from the outside interface.
0
 
MrPrinceAuthor Commented:
Hi, thanks for the info. Problem turned out to be one hop along at the perimeter router. I noticed NAT wasn't properly working so the packets weren't traversing the Internet properly. Fixed the issue and now the FW is ping with IPs and Hostnames.

Im splitting the points since your suggestions did lead to the eventual fix.

Cheers.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now