Cisco ASA blocking DNS from SLS...WHY?

Question

Level 1

4 points

Cisco ASA blocking DNS from SLS...WHY?

I have an Xserve running 10.6.8 SLS with Web, DNS, AFP, Mail, VPN Server services turned ON. It is also set up as a DNS forwarder for the machines on my LAN for recursive lookups. Along with some iMacs, it is connected to a switch and they are all on the INSIDE of a Cisco ASA 5505, and the OUTSIDE interface is connected to a Motorola ADSL modem in bridged mode using PPPoE with a static external IP. The ASA provides DHCP for my LAN, and the my Xserve and iMacs are configured in the Network Prefs for Ethernet "DHCP with Manual Address".

The ASA is configured with port address translation and NAT so I can access my Webserver, Mail Server, VPN, etc. remotely. The ASA can connect to my ISP, but here is the problem:

When any iMac on the LAN or, the Xserve itself, tries to connect to the internet, Safari eventually times out, and I see in my Server Admin DNS Logs that the DNS queries are getting blocked on UDP/53. I can also see in the Packet Tracer Tool on the ASA that the packets are indeed being blocked by the ASA. Also, outside access to my services (web, mail, VPN, etc.) doesn't work. (I have not set up Access Lists to allow external access to my LAN via TCP or UDP 53 as it should be unnecessary and would be insecure.)

When I take the ASA 5505 out of the sequence and replace it with my prior consumer grade Linksys WiFi SOHO router with all the same port forwarding, PPPoE, NAT settings, everything works great! So, my internal DNS ain't the problem.

Of course, the short answer is that it must be an issue with configuration of the ASA—and that may well be the problem. However, I'd like the input of the sages if there are specific, known configuration quirks between Cisco ASA's and Snow Leopard Server's DNS to allow DNS forwarder queries. (FYI, I have already tried increasing the packet size on the ASA to accommodate the larger DNS-SEC packets.)

I do realize this is a complicated topic and it may be difficult to provide specifics based on the info provided, but if anyone has a hint, I can provide more detail if needed. Thanks!

Posted on Oct 22, 2012 5:23 PM

Reply

Answer 1

Best reply

MrHoffman

Community+ 2024

Level 10

116,577 points

Oct 23, 2012 9:50 AM in response to Ralph Parker

One gateway box I worked with interpreted the outbound DNS traffic as a UDP storm, and was blocking it. But this is a question best asked of the Cisco folks, as this won't be the first DNS server located behind a Cisco widget, and as OS X Server is running a bog-standard ISC BIND DNS server.

Reply

Answer 2

Ralph Parker Author

Level 1

4 points

Oct 24, 2012 7:28 PM in response to MrHoffman

Thank you for your input. However, I believe I found the problem, which was kind of a convoluted issue, but now seems to be solved.

When I was doing my initial testing with the ASA in place and live, it was assigning ARP tables and remembering the MAC addresses of various Macs and other devices on my LAN, and linking them to DHCP-assigned IP's. Then, I took it out of the Test environment temporarily to do my final offline configuration in preparation to go live. When I put the ASA back in line, in the production environment, with the LAN devices/computered configured for static IP's, I discovered that the ASA DHCP server was assigning IP's that were in conflict with my static-assigned IP's due to MAC and ARP table mismatches. It's just a guess, but I think the NATing was getting confused with where to send the DNS and where to receive the responses.

By clearing the ARP caches and resetting the ASA, it went back to appropriate DHCP assignments (for those few devices that need it) and all is well now.

I realize this may be more info than may be necessary for what may be a unique problem, but I offer it to anyone else who may find themselves in my shoes.

Reply