Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DNS through an ASA

folks

me again!

i'm trying to allow DNS through an ASA 5540 but though i have a rule allowing the source to the correct destinations with 'domain' as the service the traffic is being denied

the traffic is udp whilst the domain service is TCP

i've tried adding a new DNS group as TCP-UDP but i get an error saying this is already created but when i try to select this group there are no groups available

any ideas what i'm doing wrong

thanks to anyone taking the time to reply again

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DNS through an ASA

michael,

Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.

You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.

HTH>

3 REPLIES

Re: DNS through an ASA

michael,

Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.

You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.

HTH>

Community Member

Re: DNS through an ASA

andrew

many thanks for your reply

i had a better look at the rule and ticked udp rather than tcp!

thanks again

Re: DNS through an ASA

np - glad to help.

145
Views
0
Helpful
3
Replies
CreatePlease to create content