Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA5510, internal, deny inbound, due to DNS Query 1

Status
Not open for further replies.

netjess

MIS
Feb 20, 2009
25
US
I have a ASA5510 ASA v7.0(8) in routed firewall mode. It is setup as the internal router and default gateway.
I was asked to set up a wireless router, I chose a D-Link DIR-815.
I have it all set up but I cannot get any name resolution.
the firewall is blocking traffic that is all internal.
the message in the log is: Deny inbound UDP from 192.168.1.246/xxxx to 192.168.1.10/53 due to DNS Query.

.246 being the "WAN" port my wireless router and .10 being my DNS server.

I tried adding an ACL "access-list dns extended permit udp any eq 53 any" but this didn't help.

Any ideas? Thanks.
 
Are you sure you have your subnet mask correct on the wireless router? It sounds like you would be better with an AP than a router.
 
The subnet is OK, I can access the admin console at the IP 192.168.1.246. I used a router to segregate the wireless traffic from the reular LAN traffic.
 
I am leary about just posting my config to an open forum. I would however PM a copy to someone that asks.
 
Some other information, It must have something to do with the way the w-router sends the packets.
I set it up like an AP just using the LAN ports and putting the same IP 192.168.1.246/24 address as the device IP and it works just fine. Also in regular setup if you knew the IP you could pass traffic just fine only trouble was if a DNS query is required does it fail.
 
netjess, don't worry about posting your config. sanitize it and post it. it is very hard for us to troubleshoot without seeing what you've got configured.

it doesn't make sense for the ASA to even see the DNS traffic since your WAN port and the DNS server are in the same broadcast domain. once again, a sanitized config will help here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Well, OK, Here it is.

ASA Version 7.0(8)
!
hostname PrimaryASA5510
domain-name grunt.com
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.210.181.244 255.255.255.128
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.1.254 255.255.255.0
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
access-list outside_acl extended permit tcp any host 66.210.181.181 eq www
access-list outside_acl extended permit tcp any host 66.210.181.141 eq smtp
access-list outside_acl extended permit tcp any host 66.210.181.141 eq www
access-list outside_acl extended permit tcp any host 66.210.181.230 eq smtp
access-list outside_acl extended permit tcp any any eq https inactive
access-list outside_acl extended permit tcp any any eq www
access-list dns extended permit udp any eq domain any
access-list dns extended permit udp any any eq domain
access-list dns extended permit tcp any any eq domain
pager lines 15
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
logging facility 23
logging host inside 192.168.1.10
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609001
no logging message 302016
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool Remote 192.168.194.1-192.168.194.254
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover link FAILOVER Ethernet0/3
failover interface ip FAILOVER 10.1.253.254 255.255.255.252 standby 10.1.253.253
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.210.181.190 192.168.1.190 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 66.210.181.129 1
route inside 192.168.0.0 255.255.255.0 192.168.1.246 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 207.67.3.200 community
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map2 40 set security-association lifetime seconds 28800
crypto dynamic-map map2 40 set security-association lifetime kilobytes 4608000
crypto map VpnMap 20 match address l2lvpn
crypto map VpnMap 20 set peer
crypto map VpnMap 20 set transform-set esp-3des-sha
crypto map VpnMap 20 set security-association lifetime seconds 28800
crypto map VpnMap 20 set security-association lifetime kilobytes 4608000
crypto map VpnMap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp disconnect-notify
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.1.28 /
ssl encryption des-sha1 rc4-md5
 
ok, so from the looks of your config the DLINK is not NATing traffic. now it makes more sense. add same-security-traffic permit intra-interface to your config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
unclerico, Thanks.
I will try that when I can get back to it. I'll post and let you know one way or the other.
 
Well, I was hopefull but now I am getting the an error:

3|Aug 30 2011 16:08:21|305006: portmap translation creation failed for udp src inside:192.168.1.246/33780 dst inside:192.168.1.10/53

I just don't get why it handles traffic from the WAN interface of the D-Link any different than another device on the internal network. I have tried this with the "enable DNS relay" on the D-Link both off and on.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top