Solved: DNS through an ASA

mulhollandm · ‎08-01-2008

folks

me again!

i'm trying to allow DNS through an ASA 5540 but though i have a rule allowing the source to the correct destinations with 'domain' as the service the traffic is being denied

the traffic is udp whilst the domain service is TCP

i've tried adding a new DNS group as TCP-UDP but i get an error saying this is already created but when i try to select this group there are no groups available

any ideas what i'm doing wrong

thanks to anyone taking the time to reply again

andrew.prince · ‎08-02-2008

michael,

Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.

You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.

HTH>

View solution in original post

andrew.prince · ‎08-02-2008

michael,

Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.

You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.

HTH>

mulhollandm · ‎08-03-2008

andrew

many thanks for your reply

i had a better look at the rule and ticked udp rather than tcp!

thanks again

andrew.prince · ‎08-04-2008

np - glad to help.