Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 blocking all DNS but OpenDNS

Status
Not open for further replies.

Mike4CCM

IS-IT--Management
Jun 12, 2011
1
US


I have followed the instructions listed here (thread1598-1597009) but it still isn't blocking DNS traffic when I manually set a workstation behind the ASA5505 to 4.2.2.2.

Here is what I have in my access list and access-group:

ASA5505(config)# show run access-list
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp {iphere} 255.255.240.0 interface outside eq smtp
access-list {iphere}_splitTunnelAcl remark Local_LAN_Access
access-list {iphere}_splitTunnelAcl standard permit 172.25.10.0 255.255.255.0
access-list [iphere}_splitTunnelAcl remark Local_LAN_Access
access-list inside_nat0_outbound extended permit ip 172.25.10.0 255.255.255.0 192.168.15.0 255.255.255.224
access-list inside-out extended permit ip any any
access-list inside-out extended permit udp any host 208.67.222.222 eq domain
access-list inside-out extended permit udp any host 208.67.220.220 eq domain
access-list inside-out extended deny udp any any eq domain
ASA5505(config)#
ASA5505(config)#
ASA5505(config)# show run access-group
access-group outside_access_in in interface outside
access-group inside-out in interface inside
ASA5505(config)#


Any help would be appreciated!!
 
Your allowing all traffic at rule:

access-list inside-out extended permit ip any any

It never gets to the rules below it because it matches this rule. It reads it from top to bottom. Remove this rule and place it at the bottom of your list.

CCNA, BCNE, Security+, Network +
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top