Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


ASA 5510 - cant get to website through name but can get there with IP address - NEED HELP URGENTLY

Posted on 2009-12-29
Medium Priority
Last Modified: 2012-05-08
Hello All,

I am trying to configure a ASA 5510 with an ACL that has more control of outward flow.

the network is simple - 2811 for T1 connection to ISP. 2811 connects to ASA and for now we have 3 PC's hanging off  ASA for testing.

Right now there are no ACL's applied to interfaces so everything is good in to out and vice versa!

I had tried to lock down the ASA box using an pretty detailed ACL going from INSIDE to OUT, and for simplicity just had a ACL on OUTSIDE coming IN as permit any any.

There are some remote app's that this customer needs to access, so the INSIDE_OUT ACL has some allowing those specific ports...

When I initially applied the INSIDE_OUT ACL togethter with the OUTSIDE_IN - everything appeared to work well... Users could access the remote apps

Trouble started when I tried to open IE and browse to www.cisco.com
The PC could not resolve to this address. But when i pasted in the IP address, it works fine.
I tried to change the PC's LAN settings to have the DNS be (Public internet) but it made no difference.

I have pasted the config as it sits right now, i tried to play with the dns settings - so the config may be wrong.

Could someone help me with why the PC cannot resolve against the when it can ping and therefore what would be the correct config?

Going forward they would like to have their Domain Controller added to this test network. In that scenario, would there be additional configuration on the ASA that I would need to do?

note ** i did try and add dns entries to the ACL... so they may be wrong too.

Any help is seriously appreciated..

Note that I have taken off the ACL from the interface...

.ASA-5510-BR***# sh run
: Saved
ASA Version 8.2(1)
hostname ASA-5510-BR****
domain-name br********.org
enable password ********m encrypted
passwd ******** encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 security-level 100
 ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name br********.org
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list INSIDE_OUT extended permit tcp any any eq 17149
access-list INSIDE_OUT extended permit udp any eq 551 any eq 551
access-list INSIDE_OUT extended permit tcp any any eq 9700
access-list INSIDE_OUT extended permit tcp any any eq 5940
access-list INSIDE_OUT extended permit tcp any any eq https
access-list INSIDE_OUT extended permit tcp any any eq 444
access-list INSIDE_OUT extended permit tcp any any eq ftp
access-list INSIDE_OUT extended permit tcp any any eq ftp-data
access-list INSIDE_OUT extended permit icmp any any echo
access-list INSIDE_OUT extended permit icmp any any echo-reply
access-list INSIDE_OUT extended permit tcp any any eq www
access-list INSIDE_OUT extended permit tcp any range 1025 65535 any eq 551
access-list INSIDE_OUT extended permit udp any eq domain any
access-list INSIDE_OUT extended permit tcp any eq domain any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
access-group OUTSIDE_IN in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh inside
ssh timeout 10
console timeout 10
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username vbuendia password ********** encrypted privilege 15
username administrator password *********** encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ils
service-policy global_policy global
prompt hostname context
: end
Question by:routeswitch
  • 3
  • 2
LVL 57

Expert Comment

ID: 26141540
I am assuming that these two are supposed to allow dns requests out:

access-list INSIDE_OUT extended permit udp any eq domain any
access-list INSIDE_OUT extended permit tcp any eq domain any

If so you may want to replace them with:

access-list INSIDE_OUT  extended permit udp any any eq domain
access-list INSIDE_OUT  extended permit tcp any any eq domain

Typically when making a DNS query the source port is not 53, the target port is.

Author Comment

ID: 26141581
Thanks Giltjr!

Would that help the PC's behind the ASA to be able to browse to the domain names instead of the IP addresses?
Another point to add is that when i ping to www.cisco.com or www.msn.com - I can see that it itself resolves the name to IP add and then ping successfully.
Is my DNS configs correct for the PC's behind - to be able to browse normally? As mentioned before, I have already put into the LAN settings on windows, but am thinking something may be wrong.

Thanks Again! Help/suggestions are appreciated.
LVL 57

Accepted Solution

giltjr earned 1500 total points
ID: 26141659
That should help anything behind the firewall do name resolution.  

However, your clients should not be resolving names using DNS servers on the Internet directly.  Well, I am assuming you are a Windows AD setup.  Your clients/desktops should be pointing to your Windows AD DNS servers.  Your Windows AD DNS servers should then be setup to forward requests for unknown domains to DNS servers on the Internet.

So ping resolves the host names, but when you use IE it can't?  That's not a firewall issue as both resolve names the same way.

Do you have a proxy server?

Author Closing Comment

ID: 31670954
Not really complete answer
LVL 57

Expert Comment

ID: 26192868
Did you resolve the problem?

If so, what was it?

If not, then do you have a proxy server?

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question