05-28-2009 09:59 AM - last edited on 03-25-2019 05:42 PM by ciscomoderator
Today I had a client call and tell me that their domain controllers could not resolve DNS out to the internet. They were looking at the syslog of the ASA and saw it blocking their servers outbound on DNS. I looked at it and didn't see anything and they said everything was fine. They have a MARS, so I looked in their and found that the domain controllers had been blocked outbound for DNS. The ACL is on the inside interface allowing those two servers outbound for DNS and it's above any deny rule. It's like the ASA built a dynamic ACL rule and started blocking those servers from resolving DNS. I have never had this happen before in all the installs of the ASA's. The device is running 8(0)4.
TIA for any help/ideas.
Dan
05-28-2009 10:18 AM
Is your Client using IPS? Take a look to your customer configuration and make sure that there is not a shun command in the ASA
05-29-2009 05:49 PM
We really need to see the syslogs that you are talking about.
Did someone apply an outbound acl blocking these in the egress interface?
sh run threat
and see if it is enabled and if that could have caused any issues.
Is the dns server using pat or static to go out to the internet?
What did the xlate look like at the time of the problem?
sh xlate debug | i x.x.x.x where x.x.x.x is the ip address of the dns server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide