I have a fairly new install of 5510, been running good last couple of weeks, but I found out from our isp that I have my dns servers in the open for attacks when I had the access-list for incoming using port 53, so I took it out, and somehow now we're getting bounces from comcast and aol, and other sites.
So I kept searching and I read here that some folks disabled inspect dns under global policy cause that caused issues with how dns is handled by the ASA, I did that too to try and see it helps but was getting the same thing, so basically some domains are not going through for email when I have port 53 blocked on the asa incoming, or would it be safe to open it again, but I will probably get that warning again from my isp saying I'm vulnerable. Kinda stumped on this right now and would like to see how you guys set your ASA to let dns flow correctly, here's my current config as well.
Thanks for the reply, I re-opened port 53 for my dns servers on the outside int incoming, mail flowed like normal again. Yeah I think I'm one of the last few that still has the old setup for a LAN and firewall, I need to get with the times and finally setup a DMZ. We have rdp, web, and owa, smtp and ftp basically, I'm googling around for now on info, and hopefully will get the hang of this setup.
ISP systems will block for certain time and then release the ip. So, there is chance that you still experience issue once ISP notice any kind of attack from your IPs. I suggest you to hire a consultant and make necessary changes asap.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :