I recently replaced our CheckPoint NGX R62 firewall with a Cisco ASA 5520. Everything is working, for the most part.
The first question I have is:
We have two DMZ's, in one of the DMZ's there is a couple of servers that need access to internal LDAP, so I give these servers access to internal LDAP server on TCP/389 (ldap) and figure I should be good to go... Unfortunately, in the syslog it shows the requests being blocked by the ACL. The reason is because the LDAP requests are sourcing from different ports than TCP/389, but the destination is TCP/389. How do I get the ACL to work by allowing requests on destination port TCP/389?
Second question: (may be related)
The first rule on each of my DMZ interfaces is anything to "internal DNS" servers on TCP/UDP 53, allow. First I must say that DNS lookups are working from the DMZ's to internal, but in ASDM, it show number of hits as ZERO. Likewise, I have a rule on the internal interface that allows "internal DNS" access to any on TCP/UDP 53, and it shows hits as ZERO in ASDM as well, even though lookups work to external DNS servers, as expected from them. Any ideas?
I can post config if need be. Thanks for help in advance.