ICMP errors

unclerico · ‎02-24-2010

%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.0.72 dst PCNDMZ:192.168.3.10 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.3.10/53 dst 192.168.0.72/58129

How do I permit these through the firewall?? This ASA is placed inside my network to protect my SCADA segment from my Enterprise Network and provide an internal DMZ for secure access to view data being collected by the PLC's on the SCADA network. I have a Domain Controller placed on both the outside segment as well as the DMZ segment for resiliency. When the DC on the outside segment fails, I am unable to get name resolution to function properly by using the DC in the DMZ. I can see the connections established on the permiter firewall to our ISP DNS servers from this DC in the DMZ, but the DNS replies are not being delivered back to the requesting client. I have icmp and icmp error inspection configured on the internal ASA, but I keep receiving the errors above. NAT-control is disabled. Any ideas?? Thanks ahead of time.

Kureli Sankar · ‎02-24-2010

enabled icmp error inspection in addition icmp inspection under the policy-map. This will only allow the control messages to come back to you.

That is a Port Unreachable message coming back. Are you sure who ever it is are listening on upd 53 to provide dns resolution for you?

Make sure these dns server work fine in their local segment and make sure they will repond back to other hosts on other subnets as well and there is no restriction.

-KS

unclerico · ‎02-25-2010

kusankar,

Thank you for your response. Yes, i am 100% positive that the DC is accepting DNS queries. All hosts on the SCADA network use that DC for authentication as well as name resolution within the local segment as well as for reaching servers in the PCN DMZ. I can also issue the nslookup command from a host on the outside and set the server to be this DC on the DMZ. It functions fine as long as the DC on the outside segment is online. Once the DC on the outside segment goes offline I am unable to get name resolution to work through this DC in the PCN DMZ. I have the outside DC as the primary DNS for outside clients and the DC in the PCN DMZ as secondary. I have the DC in the PCN DMZ as primary and DC in on the outside as secondary for hosts within the PCN DMZ. I have the DC in the PCN DMZ as primary for all hosts on the SCADA network. I am completely stumped. I have setup countless infrastructures and never run into an issue like this before. Thanks again.

Kureli Sankar · ‎02-25-2010

When the primary DNS is offline and the secondary ones fail to respond then we need to collect the logs to see that happens to these udp 53 packets.

You just get these icmp port unreachable messages ? or there other messages that we are missing to see?

What do captures on the hosts that is trying to get name resolution say? Just configure the secondary server as the only DNS server on this host and collect wireshark captures on the dns traffic and see what it shows you.

-KS