12-24-2007 12:45 AM - edited 03-05-2019 08:08 PM
At me a problem with ASA5520.
Clients do not receive answers from NS server.
If I execute a command packet-tracer input inside_240 udp 1.1.1.2 domain 10.0.100.202 54443
I receive
Result:
input-interface: inside_240
input-status: up
input-line-status: up
output-interface: inside_240
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet
If I execute a command packet-tracer input inside_240 tcp 1.1.1.2 domain 10.0.100.202 54443
I receive
Result:
input-interface: inside_240
input-status: up
input-line-status: up
output-interface: inside_240
output-status: up
output-line-status: up
Action: allow
The scheme of a network here: http://noc.awax.ru/asa.jpg
That is wrong in my configuration?
hostname asa
domain-name awax.ru
enable password xxx
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.x.x.66 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside_193
security-level 0
ip address 2.x.x.1 255.255.255.240
!
interface GigabitEthernet0/2
nameif inside_240
security-level 0
ip address 1.x.x.1 255.255.255.192
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif managment
security-level 100
ip address 10.10.10.7 255.255.255.0
!
passwd xxx
ftp mode passive
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
access-list faa extended permit ip any any
access-list nonat extended permit ip 1.1.1.0 255.255.255.192 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 1.1.1.0 255.255.255.192
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging debug-trace
mtu outside 1500
mtu inside_193 1500
mtu inside_240 1500
mtu managment 1500
ip local pool h0 10.0.0.0 mask 255.0.0.0
no failover
icmp permit any inside_240
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 100 2.2.2.50
global (outside) 200 1.1.1.50
nat (inside_193) 100 10.100.0.0 255.255.0.0
nat (inside_240) 0 access-list nonat
nat (inside_240) 200 10.0.0.0 255.255.0.0
route inside_240 10.0.0.0 255.0.0.0 1.1.1.11 1
route inside_193 10.100.0.0 255.255.0.0 1.1.1.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username mrtg password xxx
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
console timeout 0
!
Cryptochecksum:xxx
: end
12-20-2010 01:12 PM
Hello I have the same problem, the TCP packages are permiting and the UDP packages are droping. and I think is a problem and the Inspect-map but I don't sure.
Packet-tracer using packages UDP
Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet
Packet-tracer using packages TCP
Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: internal
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide