Skip navigation

Cisco ASA blocking DNS from SLS...WHY?

888 Views 2 Replies Latest reply: Oct 24, 2012 7:28 PM by Ralph Parker RSS
Ralph Parker Calculating status...
Currently Being Moderated
Oct 22, 2012 5:23 PM

I have an Xserve running 10.6.8 SLS with Web, DNS, AFP, Mail, VPN Server services turned ON. It is also set up as a DNS forwarder for the machines on my LAN for recursive lookups. Along with some iMacs, it is connected to a switch and they are all on the INSIDE of a Cisco ASA 5505, and the OUTSIDE interface is connected to a Motorola ADSL modem in bridged mode using PPPoE with a static external IP. The ASA provides DHCP for my LAN, and the my Xserve and iMacs are configured in the Network Prefs for Ethernet "DHCP with Manual Address".


The ASA is configured with port address translation and NAT so I can access my Webserver, Mail Server, VPN, etc. remotely. The ASA can connect to my ISP, but here is the problem:


When any iMac on the LAN or, the Xserve itself, tries to connect to the internet, Safari eventually times out, and I see in my Server Admin DNS Logs that the DNS queries are getting blocked on UDP/53. I can also see in the Packet Tracer Tool on the ASA that the packets are indeed being blocked by the ASA. Also, outside access to my services (web, mail, VPN, etc.) doesn't work. (I have not set up Access Lists to allow external access to my LAN via TCP or UDP 53 as it should be unnecessary and would be insecure.)


When I take the ASA 5505 out of the sequence and replace it with my prior consumer grade Linksys WiFi SOHO router with all the same port forwarding, PPPoE, NAT settings, everything works great! So, my internal DNS ain't the problem.


Of course, the short answer is that it must be an issue with configuration of the ASA—and that may well be the problem. However, I'd like the input of the sages if there are specific, known configuration quirks between Cisco ASA's and Snow Leopard Server's DNS to allow DNS forwarder queries. (FYI, I have already tried increasing the packet size on the ASA to accommodate the larger DNS-SEC packets.)


I do realize this is a complicated topic and it may be difficult to provide specifics based on the info provided, but if anyone has a hint, I can provide more detail if needed. Thanks!

  • MrHoffman Level 6 Level 6 (11,720 points)
    Currently Being Moderated
    Oct 23, 2012 9:50 AM (in response to Ralph Parker)

    One gateway box I worked with interpreted the outbound DNS traffic as a UDP storm, and was blocking it.  But this is a question best asked of the Cisco folks, as this won't be the first DNS server located behind a Cisco widget, and as OS X Server is running a bog-standard ISC BIND DNS server.


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.