Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 - selectively blocking icmp and DNS

Trying to replace old firewall with shiny new ASA 5510.

When I put the ASA into production, the subnet x.x.1.0 that is on the inside interface (3-port ASA) works fine. We have an inside DNS server x.x.1.21 that all hosts look to.

There are no access lists on the inside interface of ASA yet. I have added "inspect icmp" and "inspect icmp-error" into its policy-map prior to all of this which seems to allow icmp now mostly.

I have several other subnets that are routed into the x.x.1.0 subnet via a Cisco 3550 router/switch. They have problems connecting to http with the ASA. My last test I went over to the x.x.5.0 subnet department after installing the ASA. One host worked fine, the other (of two hosts) did not. (Some other departments don't work at all).

From the x.x.5.0 subnet:

I can ping hosts on the x.x.1.0 network - just can't ping the one server x.x.1.21. In other words, when on a trouble host pc x.x.5.101, I can ping x.x.1.26 (cisco firewall inside interface), x.x.2.26 (another subnet), and x.x.1.1, the router/switch port that connects the x.x.5.0 subnet with x.x.1.0. - but not the one server x.x.1.21.

The other host on the x.x.5.0 can ping everything and get DNS requests. Works fine. Other subnets (x.x.10.0, 192.168.x.0) that have more segments behind them with routers get DNS blocked so have no connectivity to internet from any hosts on them.

Here's some deny statements from the ASA

<b>

Deny inbound UDP from x.x.1.21/137 to x.x.5.101/137 on interface inside

Deny inbound UDP from x.x.1.21/53 to x.x.5.101/1031 due to DNS Response

Deny inbound icmp src inside:x.x.1.21 dst inside:x.x.5.101 (type 0, code 0)

</b>

And some success by pinging the inside interface of ASA from same host:

<b>

Built ICMP connection for faddr x.x.5.101/512 gaddr x.x.1.26/0 laddr x.x.1.26/0

</b>

And successful DNS from the DNS server to outside hosts:

Built outbound UDP connection 16905 for external:209.x.x.x/53 (209.x.x.x/53) to inside:x.x.1.21/4838 (65.x.x.20/1031)

So I have exhausted my knowledge and am hoping for suggestions.

Thanks for reading and any help.

cheers, JD

1 REPLY
Silver

Re: ASA5510 - selectively blocking icmp and DNS

I suspect some routing issues here. If one server on the subnet is not responding, check the routing (default gateway, subnet mask etc.) is configured correctly.

284
Views
0
Helpful
1
Replies
CreatePlease login to create content