08-10-2009 05:24 PM - edited 03-11-2019 09:04 AM
Hi,
I recently replaced our CheckPoint NGX R62 firewall with a Cisco ASA 5520. Everything is working, for the most part.
The first question I have is:
We have two DMZ's, in one of the DMZ's there is a couple of servers that need access to internal LDAP, so I give these servers access to internal LDAP server on TCP/389 (ldap) and figure I should be good to go... Unfortunately, in the syslog it shows the requests being blocked by the ACL. The reason is because the LDAP requests are sourcing from different ports than TCP/389, but the destination is TCP/389. How do I get the ACL to work by allowing requests on destination port TCP/389?
Second question: (may be related)
The first rule on each of my DMZ interfaces is anything to "internal DNS" servers on TCP/UDP 53, allow. First I must say that DNS lookups are working from the DMZ's to internal, but in ASDM, it show number of hits as ZERO. Likewise, I have a rule on the internal interface that allows "internal DNS" access to any on TCP/UDP 53, and it shows hits as ZERO in ASDM as well, even though lookups work to external DNS servers, as expected from them. Any ideas?
I can post config if need be. Thanks for help in advance.
Tyler
08-14-2009 01:53 PM
Transit access control lists (ACLs) are used to increase network security by explicitly permitting only required traffic into your network or networks.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml#section
08-15-2009 02:12 PM
htarra,
Thanks, but I already have the ACL's setup like I want them. The only issue I'm having now is that DNS requests from internal to internet or from our DMZ's to internal are not registering hits. DNS requests work, they just aren't showing hit count.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide