DNS blocked!!

[eiregobragh]

Hi,
I'm having a problem with my 5550 whereby DNS queries from a pc on the lan is being blocked eventhough I've all IP traffic allowed from the lan.

Here's my alarm:

172.16.30.x 208.67.220.220 Deny inbound UDP from 172.16.30.x/57671 to 208.67.220.220/53 due to DNS Query

Any ideas?

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

Are you inspecting dns traffic.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

Hi,
I'm not sure what you mean by inspecting DNS traffic.

I've all IP traffic allowed through my firewall as far as I can tell but I cannot ping the dns server (208.67.220.220)from behind the firewall.

Any ideas why I cant even ping?

Thanks,



Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[ADB100]

Why can't you ping - Are you inspecting ICMP? Does the DNS server respond to pings anyway? A lot of hosts now don't respond to ping due to hardening.
Maybe post your configuration?

 

[eiregobragh]

Hi thanks for the reply.

I can ping the DNS server from the internet.

In my security policy table I have a rule allowing ping and DNS through.

I run the Packet Trace tool and ping from a host on the LAN to the default gateway and it fails saying that the Implicit Deny rule has blocked the traffic.

I don't get it because I added a permit all any any above the implicit deny and it still blocked it.

I'll post my config shortly.

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[eiregobragh]

Here's my config:

asaprimary# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname asaprimary
domain-name vmware.com
enable password vs58aXBRi4lxH.QI encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 194.196.148.0 ATT_Network description from AT&T Router
name 10.20.30.2 DMZ_interface description DMZ interface
!
interface GigabitEthernet0/0
description DMZ interface
nameif DMZ
security-level 0
ip address DMZ_interface 255.255.255.0
!
interface GigabitEthernet0/1
description LAN
nameif LAN
security-level 0
ip address 172.16.30.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
access-list DMZ_1_cryptomap extended permit ip interface LAN host 83.71.xx.xx
access-list LAN_access_in extended permit icmp 172.16.30.0 255.255.255.0 10.20.30.0 255.255.255.0 object-group DM_INLINE_ICMP_1
access-list LAN_access_in extended permit ip host 172.16.30.1 host 10.20.30.1
pager lines 24
logging enable
logging asdm informational
mtu DMZ 1500
mtu LAN 1500
mtu management 1500
failover
failover lan unit primary
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
static (LAN,DMZ) 10.20.30.0 172.16.30.0 netmask 255.255.255.0
access-group DMZ_access_in in interface DMZ
access-group LAN_access_in in interface LAN
route DMZ 0.0.0.0 0.0.0.0 10.20.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map DMZ_map 1 match address DMZ_1_cryptomap
crypto map DMZ_map 1 set pfs
crypto map DMZ_map 1 set peer 83.71.226.35
crypto map DMZ_map 1 set transform-set ESP-3DES-SHA
crypto map DMZ_map interface DMZ
crypto isakmp enable DMZ
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 DMZ
ssh ATT_Network 255.255.255.0 DMZ
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 208.67.220.220
dhcpd domain cisco.test.com
!
dhcpd address 172.16.30.1-172.16.30.253 LAN
dhcpd enable LAN
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
tunnel-group 83.71.xx.xx type ipsec-l2l
tunnel-group 83.71.xx.xx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cba7ac08bb6962dd66d560f5313080a2
: end

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[ADB100]

You have two interfaces - DMZ & LAN. I assume the DMZ is what would typically be referred to as the 'Outside' interface and the LAN is your 'Inside'. You need to specify a higher security level for the LAN interface - make it 100.

interface GigabitEthernet0/1 description LAN nameif LAN security-level 100

Your 'LAN' interface ACL only allows you to send ICMP echo/echo-replies from 172.16.30.0/24 to 10.20.30.0/24 and then any IP traffic from host 172.16.30.1 to host 10.20.30.1.

It doesn't look right to me....

Andy

 

[eiregobragh]

Andy,
thanks for the input.

I've made the changes you suggested.

I've now only one acl on the inside;

any any permit IP

Still not able to ping the dns server :-(



Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[ADB100]

With the packet tracer is the traffic now allowed? I assume 10.20.30.1 is another NAT router/firewall device and this is NAT'ing your 10.20.30.x addresses?

 

[eiregobragh]

Hi there,
I did the packet trace again;

The icmp packet passes the acl,

Is nat'd,

But the result shows the packet dropped with the reason:

(sp-securit-failed) Slowpath security checks failed.

Yes ADB100, you're right my networks is of the form:

PC---ASA5550----SSG350----Internet Router------DNS_Server

172.16.30.1---172.16.30.254----10.20.30.2---10.20.30.1----Public_IPs


Any ideas?

This is really bugging me now :-(

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[eiregobragh]

Hi,
packet trace tool now works to IPs on the internet, don't know what changed

But when I do pings from the actual PC they fail :-(

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[ADB100]

You need to inspect ICMP

policy-map global_policy
 class inspection_default
  inspect icmp

Otherwise the return ICMP packets get denied because no 'state' is created for the pings.

Andy

 

[eiregobragh]

Andy,
thanks again,
I did as you said and added the following:

class-map global-class
match any
!
!
policy-map global-policy
class global-class
inspect dns
class class-default
inspect icmp
!
service-policy global-policy global


This no joy.

Here's some of the log output:

4 Nov 29 2010 08:44:56 313004 Denied ICMP type=0, from laddr 172.16.30.1 on interface inside to 208.67.220.220: no matching session

6 Nov 29 2010 08:44:46 302020 4.2.2.1 172.16.30.1 Built outbound ICMP connection for faddr 4.2.2.1/0 gaddr ssg_interface/512 laddr 172.16.30.1/512

6 Nov 29 2010 08:44:48 302021 4.2.2.1 172.16.30.1 Teardown ICMP connection for faddr 4.2.2.1/0 gaddr ssg_interface/512 laddr 172.16.30.1/512

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[eiregobragh]

Any help/ideas guys?

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[eiregobragh]

Hi again,
I got ping working now from my laptop behind the ASA. There was an issue with NAT on the SSG.

Again, my setup is as follows:

laptop---ASA----SSG---InternetRouter-----INTERNET----FREE-DNS

From my laptop I can ping the DNS server 208.67.220.220

But I cannot browse the Web.

I moved my laptop to behind the SSG and I can, so it must be something on the ASA.


From the ASA I'm getting the alarm:

4 Dec 01 2010 05:56:30 313004 Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 208.67.220.220: no matching session

Ajny ideas what this indicates?

Thanks so much,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[eiregobragh]

I got it working,
I was only inspecting ICMP traffic, so I just added DNS and HTTP.

It's a steep learning curve.

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie