05-23-2012 05:32 AM
Hi,
I've got a Problem with the ACL's on a ASA 5510 Cluster:
the connected Client cannot resolve DNS; the Log says:
%ASA-session-5-106100: access-list ACL-INSIDE denied udp inside/172.27.xxx.1(53) -> outside/192.168.xxx.8(59893) hit-cnt 1 first hit [0x932a8f72, 0x0]
(this must be the Return-Paket of the DNS-Query)
where 172.27.xxx.1 is the DNS-Server in the Inside-Network, and 192.168.xxx.8 is the virtual address.
I've got an Access-List which permits the virtual address "ip" to the DNS-Server.
The same Configuration on the Test-Machine (no Cluster) works!
(It's a active/standby single Context failover Config)
Could the Problem be caused by the Cluster?
Thank you
Karl
05-23-2012 05:40 AM
Can you send over the configuration you have on your ASA, also a topology would be helpfull.
05-23-2012 06:01 AM
Hi,
how can I send you a pdf and a .txt?
The Config ist too big to edit all addresses and so
Thank you
Karl
05-23-2012 06:04 AM
you cann attach them to this thread if you dont mind
05-23-2012 06:08 AM
No, this files are not for public and anyway, I only could attach Photos
05-23-2012 06:07 AM
tell you something can you send me the output of:
show access-list ACL-INSIDE
and show run access-group
05-23-2012 06:13 AM
rou-ara27-rz-12/act/pri# sh run access-group
access-group ACL-INSIDE in interface inside
access-group inside_access_out out interface inside
access-group ACL-OUTSIDE in interface outside
rou-ara27-rz-12/act/pri# show access-
rou-ara27-rz-12/act/pri# show access-list ACL-INSIDE
access-list ACL-INSIDE; 11 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended permit icmp any any object-group ICMP-HARMLOS (hitcnt=0) 0x1a753992
access-list ACL-INSIDE line 1 extended permit icmp any any echo (hitcnt=0) 0xc4ed471c
access-list ACL-INSIDE line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xd14f0043
access-list ACL-INSIDE line 1 extended permit icmp any any unreachable (hitcnt=0) 0x92b03f68
access-list ACL-INSIDE line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xaa821c16
access-list ACL-INSIDE line 2 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_3 log debugging interval 300 0x658c9759
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 log debugging interval 300 (hitcnt=0) 0xc31eaf76
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x34d68ea6
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x7df14a53
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x1aa12e0c
access-list ACL-INSIDE line 3 extended permit esp object VPN-NET object DMZ_III log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 3 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 4 extended deny icmp any any log informational interval 300 (hitcnt=0) 0x2bcd80f1
access-list ACL-INSIDE line 5 remark CleanUp Rule with raised log level
access-list ACL-INSIDE line 6 extended deny ip any any log notifications interval 300 (hitcnt=0) 0x932a8f72
rou-ara27-rz-12/act/pri#
05-23-2012 06:23 AM
something is worng here, all the hit counts on all ACL entries is "zero" did you reset the counters?
Let me make sure I understand this correctly:
you have clients on outisde 192.168.xxx.8, they are trying to access a DNS server on inside 172.27.xxx.1, and you are getting the above mentioned log message is that correct?
are those Clients VPN clients? or comming through L2L VPN? can you also provide the output of show access-list
inside_access_out
05-23-2012 06:32 AM
the clients have the Tunnel-adresses 192.168.xxx.5-250, correct
DNS-Server on Inside 172.27... correct
Log-message... correct
the Clients are AnyConnect 3.0 Clients with SSL-VPN (DTLS)
access-list inside_access_out line 1 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_6 0x0abda03e
access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 (hitcnt=131) 0x801ca0fd
access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 (hitcnt=0) 0x5e27403e
access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 (hitcnt=0) 0x572f616b
access-list inside_access_out line 1 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 (hitcnt=0) 0xd1c9abf5
access-list inside_access_out line 2 extended permit esp object VPN-NET object DMZ_III (hitcnt=0) 0xea19901f
access-list inside_access_out line 2 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 (hitcnt=0) 0xea19901f
access-list inside_access_out line 3 extended permit udp interface inside object ACS-Server eq 1812 log informational interval 300 0xa5a4c349
access-list inside_access_out line 3 extended permit udp interface inside range 192.168.x.x 192.168.x.x eq 1812 log informational interval 300 (hitcnt=0) 0xa5a4c349
rou-ara27-rz-12/act/pri#
you can see in the relevant Line a hit-count of 131
05-23-2012 06:38 AM
can you perfomr the following:
cap cap in inside match udp
attempt to connect to the DNS server from the client, then send me the output of show cap cap detail.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: