%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:192.168.0.72 dst PCNDMZ:192.168.3.10 (type 3, code 3) on outside interface. Original IP payload: udp src 192.168.3.10/53 dst 192.168.0.72/58129
How do I permit these through the firewall?? This ASA is placed inside my network to protect my SCADA segment from my Enterprise Network and provide an internal DMZ for secure access to view data being collected by the PLC's on the SCADA network. I have a Domain Controller placed on both the outside segment as well as the DMZ segment for resiliency. When the DC on the outside segment fails, I am unable to get name resolution to function properly by using the DC in the DMZ. I can see the connections established on the permiter firewall to our ISP DNS servers from this DC in the DMZ, but the DNS replies are not being delivered back to the requesting client. I have icmp and icmp error inspection configured on the internal ASA, but I keep receiving the errors above. NAT-control is disabled. Any ideas?? Thanks ahead of time.
Thank you for your response. Yes, i am 100% positive that the DC is accepting DNS queries. All hosts on the SCADA network use that DC for authentication as well as name resolution within the local segment as well as for reaching servers in the PCN DMZ. I can also issue the nslookup command from a host on the outside and set the server to be this DC on the DMZ. It functions fine as long as the DC on the outside segment is online. Once the DC on the outside segment goes offline I am unable to get name resolution to work through this DC in the PCN DMZ. I have the outside DC as the primary DNS for outside clients and the DC in the PCN DMZ as secondary. I have the DC in the PCN DMZ as primary and DC in on the outside as secondary for hosts within the PCN DMZ. I have the DC in the PCN DMZ as primary for all hosts on the SCADA network. I am completely stumped. I have setup countless infrastructures and never run into an issue like this before. Thanks again.
When the primary DNS is offline and the secondary ones fail to respond then we need to collect the logs to see that happens to these udp 53 packets.
You just get these icmp port unreachable messages ? or there other messages that we are missing to see?
What do captures on the hosts that is trying to get name resolution say? Just configure the secondary server as the only DNS server on this host and collect wireshark captures on the dns traffic and see what it shows you.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...