Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wierd ASA issue

Today I had a client call and tell me that their domain controllers could not resolve DNS out to the internet. They were looking at the syslog of the ASA and saw it blocking their servers outbound on DNS. I looked at it and didn't see anything and they said everything was fine. They have a MARS, so I looked in their and found that the domain controllers had been blocked outbound for DNS. The ACL is on the inside interface allowing those two servers outbound for DNS and it's above any deny rule. It's like the ASA built a dynamic ACL rule and started blocking those servers from resolving DNS. I have never had this happen before in all the installs of the ASA's. The device is running 8(0)4.

TIA for any help/ideas.


Cisco Employee

Re: Wierd ASA issue

Is your Client using IPS? Take a look to your customer configuration and make sure that there is not a shun command in the ASA

Cisco Employee

Re: Wierd ASA issue

We really need to see the syslogs that you are talking about.

Did someone apply an outbound acl blocking these in the egress interface?

sh run threat

and see if it is enabled and if that could have caused any issues.

Is the dns server using pat or static to go out to the internet?

What did the xlate look like at the time of the problem?

sh xlate debug | i x.x.x.x where x.x.x.x is the ip address of the dns server

CreatePlease to create content