I have an ASA 5515 as my internet firewall. It is not allowing me to do NS Lookups from any internal DNS Servers, or clients. If I set my nslookup server to 8.8.8.8 (google DNS), I can resolve public DNS names. If I am on the internal network, breaks.
I have the following in my ASA:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 8192
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect ipsec-pass-thru
inspect icmp
inspect dns preset_dns_map
Any ideas as to why its not working?
Best Answer
As per the mentioned notes when you are sending a DNS query internally is it going through the firewall or not. If it is run a packet for the concerned traffic and see if the traffic is getting dropped at any stage. If due to any reason ASA is dropping the traffic collect the output of ASP capture. ASP capture will help us to isolate the reason due to which ASA is dropping the packet.