cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


358
Views
0
Helpful
6
Replies
Beginner

Interpretting Logs on the Firewall

Hi Guys

Hope you can help me with this. This is kinda weird.

In our company, we have our agent's tools going over mpls vpn. Our client recently changed the IP of their servers to 2.2.2.2 (IP has been changed).

When I check the dns records using client's dns server, let's say for client.com, it resolves to:

3.3.3.3

But other centers are claiming that their dns query resolves to:

2.2.2.2

When i ping client.com, it pings 2.2.2.2. I can successfully access the site, but i'm confused why it shows a different address using nslookup in cmd prompt.

Here are the logs of the firewall:

client dns server: 10.248.20.200

ASA5585# sh log | i 10.249.102.230

        Logging to inside 10.249.102.230 errors: 121  dropped: 349

Feb 17 2013 12:45:43 ASA : %ASA-6-302016: Teardown UDP connection 173519597 for outside:10.248.20.200/53 to inside:10.249.102.230/32809 duration 0:00:00 bytes 153

Feb 17 2013 12:45:43 ASA : %ASA-6-302013: Built outbound TCP connection 173520593 for outside:1.1.1.1/80 (1.1.1.1/80) to inside:10.249.102.230/48850 (10.249.102.230/48850)

Feb 17 2013 12:45:44 ASA : %ASA-6-302013: Built outbound TCP connection 173520691 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/48994 (10.249.102.230/48994)

Feb 17 2013 12:45:44 ASA : %ASA-6-302014: Teardown TCP connection 173520691 for outside:3.3.3.3/80 to inside:10.249.102.230/48994 duration 0:00:00 bytes 110 TCP Reset-O

Feb 17 2013 12:45:45 ASA : %ASA-6-302013: Built outbound TCP connection 173520840 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/49186 (10.249.102.230/49186)

Feb 17 2013 12:45:45 ASA : %ASA-6-302014: Teardown TCP connection 173520840 for outside:3.3.3.3/80 to inside:10.249.102.230/49186 duration 0:00:00 bytes 110 TCP Reset-O

Feb 17 2013 12:45:57 ASA : %ASA-6-302013: Built outbound TCP connection 173523129 for outside:2.2.2.2/8585 (2.2.2.2/8585) to inside:10.249.102.230/52781 (10.249.102.230/52781)

Feb 17 2013 12:45:58 ASA : %ASA-6-302013: Built outbound TCP connection 173523287 for outside:3.3.3.3/80 (3.3.3.3/80) to inside:10.249.102.230/53036 (10.249.102.230/53036)

Feb 17 2013 12:45:59 ASA : %ASA-6-302014: Teardown TCP connection 173523287 for outside:3.3.3.3/80 to inside:10.249.102.230/53036 duration 0:00:00 bytes 110 TCP Reset-O

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Interpretting Logs on the Firewall

What do you see when running the "netstat -a" line on your PC?

Do you get to the same website when typing both addresses in your browser's navigation bar?

Are the users we are talking about using the same DNS server and path to access this webserver?

What do you think the ASA is doing with the DNS/HTTP traffic?

6 REPLIES 6
Enthusiast

Interpretting Logs on the Firewall

What do you see when running the "netstat -a" line on your PC?

Do you get to the same website when typing both addresses in your browser's navigation bar?

Are the users we are talking about using the same DNS server and path to access this webserver?

What do you think the ASA is doing with the DNS/HTTP traffic?

Beginner

Interpretting Logs on the Firewall

sorry, clicked on "correct answer". I dont' really know how these tagging of correct answers or useful answer works...

What do you see when running the "netstat -a" line on your PC?

-anyway, regarding netstat, i wasn't able to capture that when the issue occured.

Do you get to the same website when typing both addresses in your browser's navigation bar?

-typing 3.3.3.3, shows an error. but when i typed 2.2.2.2, it accesses the correct website.

Are the users we are talking about using the same DNS server and path to access this webserver?

-they have their internal dns server, and have a forward lookup zone to access 2.2.2.2

What do you think the ASA is doing with the DNS/HTTP traffic?

-i think the ASA is just letting the traffic pass through. we're not blocking anything going to those addresses.

Enthusiast

Interpretting Logs on the Firewall

Since there is only one site reporting a dfferent behavior, i would assume that this address [3.3.3.3] is being translated to the ip everybody is seeing [2.2.2.2].  Can you share the configuration of the ASA?

What happens if you configure a different DNS server for the clients that are using the client's DNS server?

Beginner

Interpretting Logs on the Firewall

i apologize, it's not possible. this is a client facing ASA.

What happens if you configure a different DNS server for the clients that are using the client's DNS server?

  -haven't tried this though. what's weird is that we compared nslookup results with the other IT personel from the other site and used the same dns server, but shows different results.

Enthusiast

Interpretting Logs on the Firewall

The ASA might be modifying the DNS reply if its configured to do so, check for the "dns" keyword at the end of the static translations.

Highlighted
Beginner

Interpretting Logs on the Firewall

i will do so. thanks for your help.