topic Re: cisco asa issues in Network Security

cisco asa issues

benedict dcunha — Mon, 11 Mar 2019 19:04:09 GMT

Dear All,

we have just purchased a new

cisco ASA firewall. cisco ASA 5520 series ios ver 8.2

my earlier linux shorwall firewall was used in 2 interface mode

so i jus had a exact replica of the rules. and put the asa online

Every thing was working but from outside world our internal public

websites could not be reached . also mail from yahoo or google bounce back

and also not able to send mail to yahoo.

we do have our own dns server using bind 9 hosting a couple of websites

i reverted back to my shorewall firewall and things were working fine.

then i jus got the clue of message size for ASA .. that is the last server

which was rolled to dns sec and the message length has to be increased to

4096

so i did the following on my ASA

jus to check i ran

sh run policy policy-map type inspect dns

and it showed me message length size maximun 512

so i did the change

conf t

> policy-map type inspect dns preset_dns_map

> parameters

> message-length maximum 4096

> policy-map global_policy

> class inspection_default

> inspect dns preset_dns_map

and then the show run policy-map was showing me message length maximum as

4096

then i put my cisco firewall online and it was working. i mean i did send mail to

yahoo from my mail server and also replied it worked fine

but after 30 minutes our network became very very slow as if crawling

i removed the cisco asa network cables and reverted back to my shorewall

firewall and all was well immeditely

then also one of user called me that the website was not working.

then i found that my immedite upstream ISP dns was not able to resolve the

sites which my dns server is authorative

i tried to resolve from google public dns (8.8.8.8) and i could resolve it

calling the isp dns admin he said he would check and after 4 hrs the isp

dns could resolve my website he told me that he had to update his dns

server and that i had changed the ip address of my web sites or my dns

server had a problem. which was neither

now im jus wondering what exactly could be the problem

since i dont want to put the cisco ASA online without being positive that

it gonna work smooth

( also i wondering

can this change in the asa firewall made some change in
my isp dns.

and if so what can i do to prevent this from happening again)

also after googleing i see that the change is not required

and some post say instead of jus haveing the message length maximum to 4096

i could have

message-length maximum client auto

message-length maximum 512

now I am jus wondering how could i go about this

i would highy apprecite if someone could help me

also if some problem in my network i can go back to old

but if something changes in my isp dns its something very serious cause it

would take huge time. and they very slow in response

Re: cisco asa issues

Panos Kampanakis — Wed, 03 Nov 2010 19:19:04 GMT

Tough to guess what was happening.

Were you doing any dns doctoring on the ASA (translation rules with dns option)?

Re: cisco asa issues

benedict dcunha — Wed, 03 Nov 2010 19:35:48 GMT

Thanks

& really apprecite your quick reply.

i dont think any dns translation is done im sure of it

it jus has standard rules ..

1) by the way can I how can i know or check if any dns translation rules with dns option is done

and

2) Just to be sure and want to know can the commands for incresing the message length to 4096 where there is allso command inspect dns which i have added could have caused the network bog down and caused my ISP DNS not to resolve my websites. to tell you more the ISP has 4 dns 2 of the dns were resolving and 2 were not and only after repeated followup with the ISP admin ( after 8 hrs the other 2 dns were also OK ) and one of the dns was the primary dns of the isp

wd apprecite your reply

regards

simon

Re: cisco asa issues

Maykol Rojas — Wed, 03 Nov 2010 19:41:18 GMT

Hello Simon,

Was your DNS preset map for DNS inspection as auto at the very begining? You are right, if you are running version 8.2.2 or later, this problem should go away and the DNS respond will be allowed with the auto option.

Hope it helps.

Mike

Re: cisco asa issues

benedict dcunha — Wed, 03 Nov 2010 20:58:31 GMT

Thanks once again guys. really apprecitye your super fast reply

actually when i fisrt ran the below command just to check the current message length

show run policy-map inspect type dns

it showed me that the message length was 512 bytes

i did not see any auto

so i did update the message length with the below commands

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 4096

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

and after doin this i put the firewall online and things worked fine but after 30 to 45 min or somy network bogged down commpletely .

i tried to find out the problem bu no luck so i reverted back to my linux shorewall firewall and the network was jus as normal as b4

and then i did get compalints from our users tht our websites were not accesable.

i tried to do a dns lookup through google's public dns and it was fine and then tried with my ISP's ns1 and it was not resolving ..

i tried to check with the ns2 n ns3 n ns4 dns servers of the isp and found that ns2 was workin n so also ns4 but not ns1 n ns3 .

only after 8 hrs or so after repeated follwoup ns1 of the isp was resolving.

and as I said in my first post after checking with the isp i was abruptly told that it was my dns problem either i had chnged the ip of the webserver or the a record or some problem with my dns. also the guy claimed he had to update his dns .. i dont know wht he meant by that

so once again sorry for the repeat could this issue have been caused by the above commands

and now could i just if i have the auto option toghther with message-length maximum 512 wd that really help me out or do i need to check something else

i know I am a bit in silly and confused but just wanna make things go right this time

really sorry and do apologise to you guys

if you need any more details plss do ask me

regards

simon

Re: cisco asa issues

Maykol Rojas — Wed, 03 Nov 2010 23:20:22 GMT

Hello

Well, the changes that you did should have not affect anything. The problem resided on your ISP's DNS. Like you said before if you change the dns to google dns everything worked fine.

Now it would be a good practice to set the DNS request lenght as auto, put the firewall in place and check the logs/service policy to see if you get packet drops over the inspection.

If you have any questions, please feel free to contact us.

Mike

Re: cisco asa issues

benedict dcunha — Thu, 04 Nov 2010 20:13:23 GMT

Dear All,

i had this sme query posted in another forum and a guy called RYAN came out with a lovely n wise explanation to the problem i had

i paste what he said so it gonna help us share knowledge

and what he says he perfectly true

My advise is to disable the DNS inspection and I am going to tell you why say that. Basically when DNS inspection is turned (which it is by default) it "translates" or re-writes the A record on a DNS request. That is probably what caused the ISP to think that the DNS record changed and so had not updated on their servers. Below is a link that explains the DNS inspect (DNS rewrite).

http://www.cisco.com/en/US/docs/secu...html#wp1719130

as I said before the first time when I disconnected my linux firewall and connected my cisco ASA things were OK but I was not able to resovle my websites from outside

so after googling arround and came about the edns issue and did the following to my ASA

policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 4096
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map

after this things worked fine i cd send mail and receive mail from yahoo which earlier i was not able too

but after 30 to 45 min as i mentioned earlier my network began to crawl .

so soon I discoonected my cisco ASA and connectd my linux firewall and my network as as normal immediately

but then i go complain that our websites cd not be resolved

after doing to a nslookup to our upsteam ISP dns i too found that the websites could not be resolved.

this exactly explains what RYAN has said.

now I am still wondering as to why our network could bog down completely and became normal immediately when i disconnected my cisco ASA

would the above commands be resposible too

now on sunday i gonna do the below

config t

policy-map type inspect dns preset_dns_map
> parameters
>message-length maximum client auto
>message-length maximum 512
>policy-map global_policy
> class inspection_default
and
> no inspect dns preset_dns_map

just wanna confirm that i do not miss anything

also since I have other services being inspected guess that would not make a problem ( since class inspection is set to default and only dns ispection is disabled )

just wanna take all the precuations that i dont run into the same trouble as before.

your kind advice and help will be highly appreciated

regards

simon