Solved

Cisco ASA5505 - Ping Hostname

Posted on 2009-04-08
10
4,143 Views
Last Modified: 2012-05-06
Hi,

How do I enable my ASA5505 to ping external hostnames? Pinging IPs is fine. ie.

FW-5505-01# ping www.google.co.uk
                               ^
ERROR: % Invalid Hostname

dns domain-lookup Outside is enabled as well as DNS servers and ISP Domain name.

Thanks.
0
Comment
Question by:MrPrince
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24095073
It should work fine if you have
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server x.x.x.x

you can debug dns queries by entering debug dns 1 or debug dns 2
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24095336
0
 

Author Comment

by:MrPrince
ID: 24100672
My config for that is currently:

dns domain-lookup Outside
dns server-group ISP_DNS_Servers
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 name-server xxx.xxx.xxx.xxx [actual DNS server]
 domain-name xxxxxx.net [actual ISP domian name]

Must I use dns server-group DefaultDNS?

Thanks.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24100749
no you don't. what about a debug dns 2? where you able to run this debug?
0
 

Author Comment

by:MrPrince
ID: 24101711
Unit is at home, so will try then and get back.

Thanks.
0
 

Author Comment

by:MrPrince
ID: 24104041
OK, I turned on debugging for DNS and tried a ping again. This is what I got:

FW-5505-01# ping www.google.co.uk
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined
DNS: get global group DefaultDNS handle 1533b4d
                 ^
ERROR: % Invalid Hostname
FW-5505-01# DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No Context name servers defined

I then deleted my old DNS Server-Group since it looks like it was looking for DefaultDNS and added a new one in called DefaultDNS and tried again. This is what I got:

DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: get global group DefaultDNS handle 1533b4d
DNS: Resolve request for 'www.google.co.uk' group DefaultDNS
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response
DNS: No response

Strange my clients can resolve hostnames but my ASA can't. Here's the relavant section of my outbound ACL concerning DNS.

object-group network ISP_DNS_Servers
 network-object 64.59.114.18 255.255.255.255
 network-object 64.59.114.19 255.255.255.255

access-list Outbound remark Allow DNS
access-list Outbound extended permit udp 10.1.5.0 255.255.255.248 object-group ISP_DNS_Servers eq domain

Points upped. Thanks.
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24109696
I am not sure but it can be an acl blocking traffic. I am running the same dns config on my lab without any problem so I am assuming it is not a config problem.
0
 

Author Comment

by:MrPrince
ID: 24111543
Could it by due to a policy map? My config for that is:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

Is there anything I need to do to my ACLs to allow traffic outbound from the FW itself?
0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 75 total points
ID: 24113747
You can try and remove this policy map in order to see the result although this policy will affect all traffic and you are saying that PCs behind ASA can resolve names correctly. I am assuming that you have not changed default settings for management access ACL and it works fine with default settings. Can you post complete config so we can have a look? Also you can run the packet capture tool and use a network analyzer to see in details what is going on with dns queries originating from the outside interface.
0
 

Author Comment

by:MrPrince
ID: 24130999
Hi, thanks for the info. Problem turned out to be one hop along at the perimeter router. I noticed NAT wasn't properly working so the packets weren't traversing the Internet properly. Fixed the issue and now the FW is ping with IPs and Hostnames.

Im splitting the points since your suggestions did lead to the eventual fix.

Cheers.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question