%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.0.72 dst PCNDMZ:192.168.3.10 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.3.10/53 dst 192.168.0.72/58129
How do I permit these through the firewall?? This ASA is placed inside my network to protect my SCADA segment from my Enterprise Network and provide an internal DMZ for secure access to view data being collected by the PLC's on the SCADA network. I have a Domain Controller placed on both the outside segment as well as the DMZ segment for resiliency. When the DC on the outside segment fails, I am unable to get name resolution to function properly by using the DC in the DMZ. I can see the connections established on the permiter firewall to our ISP DNS servers from this DC in the DMZ, but the DNS replies are not being delivered back to the requesting client. I have icmp and icmp error inspection configured on the internal ASA, but I keep receiving the errors above. NAT-control is disabled. Any ideas?? Thanks ahead of time.