Cisco ASA blocking DNS from SLS...WHY?
I have an Xserve running 10.6.8 SLS with Web, DNS, AFP, Mail, VPN Server services turned ON. It is also set up as a DNS forwarder for the machines on my LAN for recursive lookups. Along with some iMacs, it is connected to a switch and they are all on the INSIDE of a Cisco ASA 5505, and the OUTSIDE interface is connected to a Motorola ADSL modem in bridged mode using PPPoE with a static external IP. The ASA provides DHCP for my LAN, and the my Xserve and iMacs are configured in the Network Prefs for Ethernet "DHCP with Manual Address".
The ASA is configured with port address translation and NAT so I can access my Webserver, Mail Server, VPN, etc. remotely. The ASA can connect to my ISP, but here is the problem:
When any iMac on the LAN or, the Xserve itself, tries to connect to the internet, Safari eventually times out, and I see in my Server Admin DNS Logs that the DNS queries are getting blocked on UDP/53. I can also see in the Packet Tracer Tool on the ASA that the packets are indeed being blocked by the ASA. Also, outside access to my services (web, mail, VPN, etc.) doesn't work. (I have not set up Access Lists to allow external access to my LAN via TCP or UDP 53 as it should be unnecessary and would be insecure.)
When I take the ASA 5505 out of the sequence and replace it with my prior consumer grade Linksys WiFi SOHO router with all the same port forwarding, PPPoE, NAT settings, everything works great! So, my internal DNS ain't the problem.
Of course, the short answer is that it must be an issue with configuration of the ASA—and that may well be the problem. However, I'd like the input of the sages if there are specific, known configuration quirks between Cisco ASA's and Snow Leopard Server's DNS to allow DNS forwarder queries. (FYI, I have already tried increasing the packet size on the ASA to accommodate the larger DNS-SEC packets.)
I do realize this is a complicated topic and it may be difficult to provide specifics based on the info provided, but if anyone has a hint, I can provide more detail if needed. Thanks!