Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 and dns issues with email

Hi all,

I have a fairly new install of 5510, been running good last couple of weeks, but I found out from our isp that I have my dns servers in the open for attacks when I had the access-list for incoming using port 53, so I took it out, and somehow now we're getting bounces from comcast and aol, and other sites.

  So I kept searching and I read here that some folks disabled inspect dns under global policy cause that caused issues with how dns is handled by the ASA, I did that too to try and see it helps but was getting the same thing, so basically some domains are not going through for email when I have port 53 blocked on the asa incoming, or would it be safe to open it again, but I will probably get that warning again from my isp saying I'm vulnerable. Kinda stumped on this right now and would like to see how you guys set your ASA to let dns flow correctly, here's my current config as well.

thanks in advanced.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA5510 and dns issues with email

Hi,

You need to redesign your setup.

1. Move all the servers that definitely need access from outside world (web servervices, RDP etc) to DMZ (leaving everything in LAN and allowing access from outside - not recomended at all).

2. Evaluate the services that needs to be allowed from outside. It definitely needs on firm's requirements but looks like you have many ports open to outsude world.

3. Below link will give you some idea on how to mitigate network attacks..

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Thx

MS

3 REPLIES

ASA5510 and dns issues with email

Hi,

You need to redesign your setup.

1. Move all the servers that definitely need access from outside world (web servervices, RDP etc) to DMZ (leaving everything in LAN and allowing access from outside - not recomended at all).

2. Evaluate the services that needs to be allowed from outside. It definitely needs on firm's requirements but looks like you have many ports open to outsude world.

3. Below link will give you some idea on how to mitigate network attacks..

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Thx

MS

New Member

Re: ASA5510 and dns issues with email

Hi MS

  Thanks for the reply, I re-opened port 53 for my dns servers on the outside int incoming, mail flowed like normal again. Yeah I think I'm one of the last few that still has the old setup for a LAN and firewall, I need to get with the times and finally setup a DMZ. We have rdp, web, and owa, smtp and ftp basically, I'm googling around for now on info, and hopefully will get the hang of this setup.

thanks

carlo

Re: ASA5510 and dns issues with email

Hi Carlo,

ISP systems will block for certain time and then release the ip. So, there is chance that you still experience issue once ISP notice any kind of attack from your IPs. I suggest you to hire a consultant and make necessary changes asap.

hth

MS

PS: Please rate helpful posts.

140
Views
0
Helpful
3
Replies
CreatePlease to create content