Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
2
Replies

Couple of questions, may be related (DNS and LDAP) source and destination

twebb
Level 1
Level 1

‎08-10-2009 05:24 PM - edited ‎03-11-2019 09:04 AM

Hi,

I recently replaced our CheckPoint NGX R62 firewall with a Cisco ASA 5520. Everything is working, for the most part.

The first question I have is:

We have two DMZ's, in one of the DMZ's there is a couple of servers that need access to internal LDAP, so I give these servers access to internal LDAP server on TCP/389 (ldap) and figure I should be good to go... Unfortunately, in the syslog it shows the requests being blocked by the ACL. The reason is because the LDAP requests are sourcing from different ports than TCP/389, but the destination is TCP/389. How do I get the ACL to work by allowing requests on destination port TCP/389?

Second question: (may be related)

The first rule on each of my DMZ interfaces is anything to "internal DNS" servers on TCP/UDP 53, allow. First I must say that DNS lookups are working from the DMZ's to internal, but in ASDM, it show number of hits as ZERO. Likewise, I have a rule on the internal interface that allows "internal DNS" access to any on TCP/UDP 53, and it shows hits as ZERO in ASDM as well, even though lookups work to external DNS servers, as expected from them. Any ideas?

I can post config if need be. Thanks for help in advance.

Tyler

Labels:
0 Helpful
2 Replies 2

htarra
Level 4
Level 4

‎08-14-2009 01:53 PM

Transit access control lists (ACLs) are used to increase network security by explicitly permitting only required traffic into your network or networks.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml#section

0 Helpful

twebb
Level 1
Level 1
In response to htarra

‎08-15-2009 02:12 PM

htarra,

Thanks, but I already have the ACL's setup like I want them. The only issue I'm having now is that DNS requests from internal to internet or from our DMZ's to internal are not registering hits. DNS requests work, they just aren't showing hit count.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card