• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 515
  • Last Modified:

Cisco ASA and DNS

I have a Cisco ASA with an inside, outside, and guest interfaces. On the guest interface I have installed a Cisco Wireless Controller for our wireless network. On the guest interface on the ASA it has access to a vlan that some of the servers are on (inside) and a vlan that the users are on. A couple of my DNS servers that are on the server vlan (inside) are on the guest interface as well.
So employee users and guests can logon to the wireless network (employees logon to "Company Wireless" integrated AD user account and guests logon to wireless "Company Guest" and have access our intranet on the internal server and a few other resouces. Everything works fine. Employees receive 10.1.20.X IP and guestes receive 10.1.254.X (whic is the subnet of the guest wireless network as well).
However, on the Cisco Wireless Controler that is on the guest interface, in the DHCP settings for DNS server I put google DNS 8.8.8.8 and 8.8.4.4. Guests can access the internet no problem but cannot access the intranet and other network resources using FQDN. If I put the IP address for those resources it works fine. If I put my internal DNS IP address in the DHCP scope it works fine.
How come Google DNS cannot resolve the FQDN of my network resources?
Also, the internal network resources are intranet.domain.com (and a few others) have internal and external DNS records so they should be able to be resolved by Google DNS.
Thanks!
0
tolinrome
Asked:
tolinrome
  • 5
  • 3
1 Solution
 
Gary ColtharpSr. Systems EngineerCommented:
Because Google DNS doesnst know about your network and any network resources that are NAT'd to the internet will have different public IP's than private.

Your best best is to specify a DNS server that is internal that will forward to internet DNS servers, Google's if you choose, for zones that it cannot locally identify.
0
 
tolinromeAuthor Commented:
My DNS servers (on the forwarders tab) all go to OpenDNS (which we use). If I put the OpenDNS servers IPs inside resoultion doesnt work either.
0
 
Gary ColtharpSr. Systems EngineerCommented:
correct... opendns doesnt know about your internal network anymore than Google. The same principle applies.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tolinromeAuthor Commented:
"Your best best is to specify a DNS server that is internal that will forward to internet DNS servers, Google's if you choose, for zones that it cannot locally identify."

Thisis how I have it setup already I think. I have my internal DNS servers listed on the guest interface and on the IP for DNS for the DHCP scope for the guest wireless users. Is this normal procedure?

Does this create a security risk?
0
 
Gary ColtharpSr. Systems EngineerCommented:
Yes....
0
 
tolinromeAuthor Commented:
So how then can I set it up properly without creating a security risk?
0
 
Gary ColtharpSr. Systems EngineerCommented:
Well if you are concernced about guests being able to lookup internal servers, I would create a new DNS server that is not active directly integrated on a different server. Create internal zones for the things you want them to get to, forward everything else to OpenDNS
0
 
Gary ColtharpSr. Systems EngineerCommented:
Meh....somebody was yakin in my ear.... I meant not Active Directory integrated. (sigh)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now