11-03-2010 08:08 AM - edited 03-11-2019 12:04 PM
Dear All,
we have just purchased a new
cisco ASA firewall. cisco ASA 5520 series ios ver 8.2
my earlier linux shorwall firewall was used in 2 interface mode
so i jus had a exact replica of the rules. and put the asa online
Every thing was working but from outside world our internal public
websites could not be reached . also mail from yahoo or google bounce back
and also not able to send mail to yahoo.
we do have our own dns server using bind 9 hosting a couple of websites
i reverted back to my shorewall firewall and things were working fine.
then i jus got the clue of message size for ASA .. that is the last server
which was rolled to dns sec and the message length has to be increased to
4096
so i did the following on my ASA
jus to check i ran
sh run policy policy-map type inspect dns
and it showed me message length size maximun 512
so i did the change
conf t
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 4096
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
and then the show run policy-map was showing me message length maximum as
4096
then i put my cisco firewall online and it was working. i mean i did send mail to
yahoo from my mail server and also replied it worked fine
but after 30 minutes our network became very very slow as if crawling
i removed the cisco asa network cables and reverted back to my shorewall
firewall and all was well immeditely
then also one of user called me that the website was not working.
then i found that my immedite upstream ISP dns was not able to resolve the
sites which my dns server is authorative
i tried to resolve from google public dns (8.8.8.8) and i could resolve it
calling the isp dns admin he said he would check and after 4 hrs the isp
dns could resolve my website he told me that he had to update his dns
server and that i had changed the ip address of my web sites or my dns
server had a problem. which was neither
now im jus wondering what exactly could be the problem
since i dont want to put the cisco ASA online without being positive that
it gonna work smooth
( also i wondering
can this change in the asa firewall made some change in
my isp dns.
and if so what can i do to prevent this from happening again)
also after googleing i see that the change is not required
and some post say instead of jus haveing the message length maximum to 4096
i could have
message-length maximum client auto
message-length maximum 512
now I am jus wondering how could i go about this
i would highy apprecite if someone could help me
also if some problem in my network i can go back to old
but if something changes in my isp dns its something very serious cause it
would take huge time. and they very slow in response
11-03-2010 12:19 PM
Tough to guess what was happening.
Were you doing any dns doctoring on the ASA (translation rules with dns option)?
PK
11-03-2010 12:35 PM
Thanks
& really apprecite your quick reply.
i dont think any dns translation is done im sure of it
it jus has standard rules ..
1) by the way can I how can i know or check if any dns translation rules with dns option is done
and
2) Just to be sure and want to know can the commands for incresing the message length to 4096 where there is allso command inspect dns which i have added could have caused the network bog down and caused my ISP DNS not to resolve my websites. to tell you more the ISP has 4 dns 2 of the dns were resolving and 2 were not and only after repeated followup with the ISP admin ( after 8 hrs the other 2 dns were also OK ) and one of the dns was the primary dns of the isp
wd apprecite your reply
regards
simon
11-03-2010 12:41 PM
Hello Simon,
Was your DNS preset map for DNS inspection as auto at the very begining? You are right, if you are running version 8.2.2 or later, this problem should go away and the DNS respond will be allowed with the auto option.
Hope it helps.
Mike
11-03-2010 01:58 PM
Thanks once again guys. really apprecitye your super fast reply
actually when i fisrt ran the below command just to check the current message length
show run policy-map inspect type dns
it showed me that the message length was 512 bytes
i did not see any auto
so i did update the message length with the below commands
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
and after doin this i put the firewall online and things worked fine but after 30 to 45 min or somy network bogged down commpletely .
i tried to find out the problem bu no luck so i reverted back to my linux shorewall firewall and the network was jus as normal as b4
and then i did get compalints from our users tht our websites were not accesable.
i tried to do a dns lookup through google's public dns and it was fine and then tried with my ISP's ns1 and it was not resolving ..
i tried to check with the ns2 n ns3 n ns4 dns servers of the isp and found that ns2 was workin n so also ns4 but not ns1 n ns3 .
only after 8 hrs or so after repeated follwoup ns1 of the isp was resolving.
and as I said in my first post after checking with the isp i was abruptly told that it was my dns problem either i had chnged the ip of the webserver or the a record or some problem with my dns. also the guy claimed he had to update his dns .. i dont know wht he meant by that
so once again sorry for the repeat could this issue have been caused by the above commands
and now could i just if i have the auto option toghther with message-length maximum 512 wd that really help me out or do i need to check something else
i know I am a bit in silly and confused but just wanna make things go right this time
really sorry and do apologise to you guys
if you need any more details plss do ask me
regards
simon
11-03-2010 04:20 PM
Hello
Well, the changes that you did should have not affect anything. The problem resided on your ISP's DNS. Like you said before if you change the dns to google dns everything worked fine.
Now it would be a good practice to set the DNS request lenght as auto, put the firewall in place and check the logs/service policy to see if you get packet drops over the inspection.
If you have any questions, please feel free to contact us.
Mike
11-04-2010 01:13 PM
Dear All,
i had this sme query posted in another forum and a guy called RYAN came out with a lovely n wise explanation to the problem i had
i paste what he said so it gonna help us share knowledge
and what he says he perfectly true
My advise is to disable the DNS inspection and I am going to tell you why say that. Basically when DNS inspection is turned (which it is by default) it "translates" or re-writes the A record on a DNS request. That is probably what caused the ISP to think that the DNS record changed and so had not updated on their servers. Below is a link that explains the DNS inspect (DNS rewrite).
http://www.cisco.com/en/US/docs/secu...html#wp1719130
as I said before the first time when I disconnected my linux firewall and connected my cisco ASA things were OK but I was not able to resovle my websites from outside
so after googling arround and came about the edns issue and did the following to my ASA
policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 4096
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
after this things worked fine i cd send mail and receive mail from yahoo which earlier i was not able too
but after 30 to 45 min as i mentioned earlier my network began to crawl .
so soon I discoonected my cisco ASA and connectd my linux firewall and my network as as normal immediately
but then i go complain that our websites cd not be resolved
after doing to a nslookup to our upsteam ISP dns i too found that the websites could not be resolved.
this exactly explains what RYAN has said.
now I am still wondering as to why our network could bog down completely and became normal immediately when i disconnected my cisco ASA
would the above commands be resposible too
now on sunday i gonna do the below
config t
policy-map type inspect dns preset_dns_map
> parameters
>message-length maximum client auto
>message-length maximum 512
>policy-map global_policy
> class inspection_default
and
> no inspect dns preset_dns_map
just wanna confirm that i do not miss anything
also since I have other services being inspected guess that would not make a problem ( since class inspection is set to default and only dns ispection is disabled )
just wanna take all the precuations that i dont run into the same trouble as before.
your kind advice and help will be highly appreciated
regards
simon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: