Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Couple of questions, may be related (DNS and LDAP) source and destination

Hi,

I recently replaced our CheckPoint NGX R62 firewall with a Cisco ASA 5520. Everything is working, for the most part.

The first question I have is:

We have two DMZ's, in one of the DMZ's there is a couple of servers that need access to internal LDAP, so I give these servers access to internal LDAP server on TCP/389 (ldap) and figure I should be good to go... Unfortunately, in the syslog it shows the requests being blocked by the ACL. The reason is because the LDAP requests are sourcing from different ports than TCP/389, but the destination is TCP/389. How do I get the ACL to work by allowing requests on destination port TCP/389?

Second question: (may be related)

The first rule on each of my DMZ interfaces is anything to "internal DNS" servers on TCP/UDP 53, allow. First I must say that DNS lookups are working from the DMZ's to internal, but in ASDM, it show number of hits as ZERO. Likewise, I have a rule on the internal interface that allows "internal DNS" access to any on TCP/UDP 53, and it shows hits as ZERO in ASDM as well, even though lookups work to external DNS servers, as expected from them. Any ideas?

I can post config if need be. Thanks for help in advance.

Tyler

2 REPLIES
Bronze

Re: Couple of questions, may be related (DNS and LDAP) source an

Transit access control lists (ACLs) are used to increase network security by explicitly permitting only required traffic into your network or networks.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml#section

Community Member

Re: Couple of questions, may be related (DNS and LDAP) source an

htarra,

Thanks, but I already have the ACL's setup like I want them. The only issue I'm having now is that DNS requests from internal to internet or from our DMZ's to internal are not registering hits. DNS requests work, they just aren't showing hit count.

141
Views
0
Helpful
2
Replies
CreatePlease to create content