I have just installed and configured a ASA 5505 firewall (basic license) which has 3 VLANs (outside, trusted, untrusted) and the configuration is really basic.
Outside is for internet, trusted is for LAN computers, untrusted is for Wifi.
We have an internal server connected to trusted with a static ip of 10.5.1.2. That server runs a Bind DNS instance. The server also runs 2 VPS instances. To make it easy to access the VPS instances they are given a domain name and the DNS instance is used to supply computers of the network with the ip for those VPS instances.
I tried to add the internal server as the primary DNS server and Googles public slave DNS (8.8.4.4) as secondary:
mastermind(config)# dhcpd dns 10.5.1.2 8.8.4.4
address overlap with dhcp pool ip addresses
However that did not work. Do I need to reserve that ip so that it's not in the DHCP pool? Or am I going at this totally wrong altogether?
Relevant config settings:
ASA Version 8.4(1)
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp
!
interface Vlan2
nameif trusted
security-level 100
ip address 10.5.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif untrusted
security-level 50
ip address 10.4.1.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
# Ethernet0/2 to Ethernet0/6 has identical configuration
!
interface Ethernet0/7
switchport access vlan 3
!
dns server-group DefaultDNS
domain-name mastermind.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network obj_any
nat (trusted,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 trusted
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 trusted
dhcpd enable trusted
!
dhcpd address 10.4.1.2-10.4.1.32 untrusted
dhcpd enable untrusted
!
Best Answer
You're going about this correctly. I guess the reasoning for this error is that if your DNS server is dynamically configured there's a chance it could lose that IP address and break DNS for the rest of your clients. I would put a static IP on the DNS server and just change the DHCP range to exclude 10.5.1.2.