01-21-2009 07:46 AM - edited 03-11-2019 07:40 AM
Can you guys please help me understand why the line
permit udp any eq domain host 65.65.65.44
which is part of the ACL applied to the outside interface in the IN direction allows my internal users to properly browse the internet sites by name?
If I dont have this statement, my internal users can't resolve anything by name. We use public DNS servers in our PC's tcp/ip settings like 4.2.2.2
I'm confused because everything outbound is allowed in my network and I know that when we browse to a site, for example google.com, the internal host places a DNS query to its DNS server, in this case 4.2.2.2 which is a public DNS server. So, the internal host sends out this query to port 53 to the public DNS, and because it is an outbound traffic, it is allowed and thus should not be asking for that statement to work... this is why Im confused.
Also, as far as I understand, returned traffic for a connection that originated o nthe inside is also allowed by this statement
permit tcp any any established
This is why I even get more confused but there must be something I am missing with regards to DNS resolution.
Any help or links that can help me understand this?
thanks in advance
01-26-2009 12:58 PM
Hello Sir,
Yes, the ASA is a stateful device for traffic that is originated from the trusted network, to the untrusted network.
The ASA perform inspection of this traffic to permit the return traffic to come back in(reflexive ACL).
Please try the following:
policy-map global_policy
class inspection_default
inspect dns
If this does not works, please send me the log message that you are getting.
01-27-2009 11:28 AM
I think I left out a detail... I have this on an IOS (router).
No ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide