cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
0
Helpful
4
Replies

Need urgent help fixing DNS being blocked...

kcaporaso
Level 1
Level 1

Hello:

I'm getting the following types of log messages on my asa 5505 7.2.

65.32.5.74 PublicIP Deny udp src outside:65.32.5.74/53 dst inside:PublicIP/10521 by access-group "outside_access_in" [0x0, 0x0]

Basically another DNS server is trying to get some updates from me and it's being blocked. Can anyone help me to allow this type of traffic? Below is my config. Thanks much!

name 192.168.1.20 master

name 192.168.1.10 mail

name 192.168.1.3 yoda

name 6.7.8.10 PublicIP

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address PublicIP 255.255.255.248

ospf cost 10

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name mydomain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service www tcp-udp

description Web traffic

port-object eq www

access-list outside_access_in remark Allow for incoming FTP requests

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark Allow for incoming Secure SMTP requests

access-list outside_access_in extended permit tcp any interface outside eq 465

access-list outside_access_in remark Allow for incoming Secure IMAP requests

access-list outside_access_in extended permit tcp any interface outside eq 993

access-list outside_access_in remark Allow for incoming smtp requests

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in remark Allow for incoming https requests

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit udp any interface outside eq domain

access-list outside_access_in remark Allow for incoming DNS requests

access-list outside_access_in extended permit tcp any interface outside eq domain

access-list outside_access_in remark Allow for incoming ssh requests

access-list outside_access_in extended permit tcp any interface outside eq ssh

access-list outside_access_in remark Allow for incoming http requests

access-list outside_access_in extended permit tcp any interface outside eq www

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www master www netmask 255.255.255.255

static (inside,outside) udp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface domain master domain netmask 255.255.255.255

static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255

static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255

static (inside,outside) tcp interface https mail https netmask 255.255.255.255

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255

static (inside,outside) tcp interface ssh yoda ssh netmask 255.255.255.255

static (inside,inside) PublicIP master netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 6.7.8.9 1

4 Replies 4

acomiskey
Level 10
Level 10

"Basically another DNS server is trying to get some updates from me and it's being blocked. Can anyone help me to allow this type of traffic?"

-Are you sure. I would think if that were the case you would see the destination port be 53 not the source, like this...PublicIP/53

Not positive, but that IP address definitely resolves to my ISPs "big" DNS in the sky. What does the logger line appear to be blocking? All I know is that all of a sudden some of the domains I hold DNS entries for are having some issues and I noticed all these denied packets on the DNS port. Thanks for any suggestions.

It looks to me like the external dns server is replying to a request from an inside host when the connection in the firewall has already been torn down. Therefore there is no associated connection in the ASA and it drops the packet.

Hmm.. OK, is that likely to happen from time-to-time?

Also, I'm seeing these as well, are these also considered 'normal'

74.237.237.158 PublicIP Deny TCP (no connection) from 74.237.237.158/50518 to PublicIP/80 flags FIN ACK on interface outside

Thanks for your help!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: