Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
6
Replies

Interpretting Logs on the Firewall

Go to solution
n3tw0rkguy83
Level 1
Level 1

‎02-17-2013 10:55 AM - edited ‎03-11-2019 06:01 PM

Hi Guys

Hope you can help me with this. This is kinda weird.

In our company, we have our agent's tools going over mpls vpn. Our client recently changed the IP of their servers to 2.2.2.2 (IP has been changed).

When I check the dns records using client's dns server, let's say for client.com, it resolves to:

3.3.3.3

But other centers are claiming that their dns query resolves to:

2.2.2.2

When i ping client.com, it pings 2.2.2.2. I can successfully access the site, but i'm confused why it shows a different address using nslookup in cmd prompt.

Here are the logs of the firewall:

client dns server: 10.248.20.200

ASA5585# sh log | i 10.249.102.230

        Logging to inside 10.249.102.230 errors: 121  dropped: 349

Feb 17 2013 12:45:43 ASA : %ASA-6-302016: Teardown UDP connection 173519597 for outside:10.248.20.200/53 to inside:10.249.102.230/32809 duration 0:00:00 bytes 153

Feb 17 2013 12:45:43 ASA : %ASA-6-302013: Built outbound TCP connection 173520593 for outside:1.1.1.1/80 (1.1.1.1/80) to inside:10.249.102.230/48850 (10.249.102.230/48850)

Feb 17 2013 12:45:44 ASA : %ASA-6-302013: Built outbound TCP connection 173520691 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/48994 (10.249.102.230/48994)

Feb 17 2013 12:45:44 ASA : %ASA-6-302014: Teardown TCP connection 173520691 for outside:3.3.3.3/80 to inside:10.249.102.230/48994 duration 0:00:00 bytes 110 TCP Reset-O

Feb 17 2013 12:45:45 ASA : %ASA-6-302013: Built outbound TCP connection 173520840 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/49186 (10.249.102.230/49186)

Feb 17 2013 12:45:45 ASA : %ASA-6-302014: Teardown TCP connection 173520840 for outside:3.3.3.3/80 to inside:10.249.102.230/49186 duration 0:00:00 bytes 110 TCP Reset-O

Feb 17 2013 12:45:57 ASA : %ASA-6-302013: Built outbound TCP connection 173523129 for outside:2.2.2.2/8585 (2.2.2.2/8585) to inside:10.249.102.230/52781 (10.249.102.230/52781)

Feb 17 2013 12:45:58 ASA : %ASA-6-302013: Built outbound TCP connection 173523287 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/53036 (10.249.102.230/53036)

Feb 17 2013 12:45:59 ASA : %ASA-6-302014: Teardown TCP connection 173523287 for outside:3.3.3.3/80 to inside:10.249.102.230/53036 duration 0:00:00 bytes 110 TCP Reset-O

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jocamare
Level 4
Level 4

‎02-18-2013 07:09 PM

What do you see when running the "netstat -a" line on your PC?

Do you get to the same website when typing both addresses in your browser's navigation bar?

Are the users we are talking about using the same DNS server and path to access this webserver?

What do you think the ASA is doing with the DNS/HTTP traffic?

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jocamare
Level 4
Level 4

‎02-18-2013 07:09 PM

What do you see when running the "netstat -a" line on your PC?

Do you get to the same website when typing both addresses in your browser's navigation bar?

Are the users we are talking about using the same DNS server and path to access this webserver?

What do you think the ASA is doing with the DNS/HTTP traffic?

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to jocamare

‎02-20-2013 07:32 AM

sorry, clicked on "correct answer". I dont' really know how these tagging of correct answers or useful answer works...

What do you see when running the "netstat -a" line on your PC?

-anyway, regarding netstat, i wasn't able to capture that when the issue occured.

Do you get to the same website when typing both addresses in your browser's navigation bar?

-typing 3.3.3.3, shows an error. but when i typed 2.2.2.2, it accesses the correct website.

Are the users we are talking about using the same DNS server and path to access this webserver?

-they have their internal dns server, and have a forward lookup zone to access 2.2.2.2

What do you think the ASA is doing with the DNS/HTTP traffic?

-i think the ASA is just letting the traffic pass through. we're not blocking anything going to those addresses.

0 Helpful

Go to solution
jocamare
Level 4
Level 4
In response to n3tw0rkguy83

‎02-20-2013 09:29 AM

Since there is only one site reporting a dfferent behavior, i would assume that this address [3.3.3.3] is being translated to the ip everybody is seeing [2.2.2.2].  Can you share the configuration of the ASA?

What happens if you configure a different DNS server for the clients that are using the client's DNS server?

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to jocamare

‎02-22-2013 09:12 AM

i apologize, it's not possible. this is a client facing ASA.

What happens if you configure a different DNS server for the clients that are using the client's DNS server?

  -haven't tried this though. what's weird is that we compared nslookup results with the other IT personel from the other site and used the same dns server, but shows different results.

0 Helpful

Go to solution
jocamare
Level 4
Level 4
In response to n3tw0rkguy83

‎02-22-2013 10:15 AM

The ASA might be modifying the DNS reply if its configured to do so, check for the "dns" keyword at the end of the static translations.

0 Helpful

Go to solution
n3tw0rkguy83
Level 1
Level 1
In response to jocamare

‎02-27-2013 07:59 AM

i will do so. thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card