DNS through an ASA

Answered Question
Aug 1st, 2008

folks


me again!


i'm trying to allow DNS through an ASA 5540 but though i have a rule allowing the source to the correct destinations with 'domain' as the service the traffic is being denied


the traffic is udp whilst the domain service is TCP


i've tried adding a new DNS group as TCP-UDP but i get an error saying this is already created but when i try to select this group there are no groups available


any ideas what i'm doing wrong


thanks to anyone taking the time to reply again



michael,


Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.


You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.


HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

michael,


Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.


You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.


HTH>

Actions

This Discussion