%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.0.72 dst PCNDMZ:192.168.3.10 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.3.10/53 dst 192.168.0.72/58129
How do I permit these through the firewall?? This ASA is placed inside my network to protect my SCADA segment from my Enterprise Network and provide an internal DMZ for secure access to view data being collected by the PLC's on the SCADA network. I have a Domain Controller placed on both the outside segment as well as the DMZ segment for resiliency. When the DC on the outside segment fails, I am unable to get name resolution to function properly by using the DC in the DMZ. I can see the connections established on the permiter firewall to our ISP DNS servers from this DC in the DMZ, but the DNS replies are not being delivered back to the requesting client. I have icmp and icmp error inspection configured on the internal ASA, but I keep receiving the errors above. NAT-control is disabled. Any ideas?? Thanks ahead of time.
Thank you for your response. Yes, i am 100% positive that the DC is accepting DNS queries. All hosts on the SCADA network use that DC for authentication as well as name resolution within the local segment as well as for reaching servers in the PCN DMZ. I can also issue the nslookup command from a host on the outside and set the server to be this DC on the DMZ. It functions fine as long as the DC on the outside segment is online. Once the DC on the outside segment goes offline I am unable to get name resolution to work through this DC in the PCN DMZ. I have the outside DC as the primary DNS for outside clients and the DC in the PCN DMZ as secondary. I have the DC in the PCN DMZ as primary and DC in on the outside as secondary for hosts within the PCN DMZ. I have the DC in the PCN DMZ as primary for all hosts on the SCADA network. I am completely stumped. I have setup countless infrastructures and never run into an issue like this before. Thanks again.
When the primary DNS is offline and the secondary ones fail to respond then we need to collect the logs to see that happens to these udp 53 packets.
You just get these icmp port unreachable messages ? or there other messages that we are missing to see?
What do captures on the hosts that is trying to get name resolution say? Just configure the secondary server as the only DNS server on this host and collect wireshark captures on the dns traffic and see what it shows you.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...