I'm bringing up a connection to a remote data center. The data center is separated by an ASA5585x running software 9.3(1). Can access the remote servers just fine, but they can't communicate with our DNS server. When they query, I see this in the ASA's logs:
[2015-01-02 14:56:58 GMT-08:00] (CONTEXT) 106007: Deny inbound UDP from 22.214.171.124/38583 to 126.96.36.199/53 due to DNS Query
188.8.131.52 is the IP of the server and 184.108.40.206 is the DNS server. The traffic is permitted in the ACL, but when I run packet tracer, it shows denied. I don't think this is an issue with DNS inspection, since other servers can talk to DNS just fine. Manual says this:
Explanation This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
I don't understand why I'd need a translation entry. The client and server are both on two different internal interfaces and NAT is not applicable.
I found the mention of DNS was a complete red herring. The issue was that the two inside interfaces had the same security level. "same-security-traffic permit inter-interface" was the quick fix, or I could have changed security levels to be different.
The 2020 IT Blog Awards, hosted by Cisco, is now open for submissions through October 16. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https:...
Do we have any document around ISE 3.0 agentless posture. Techzone type document with steps.
Besides, where can we download agentless posture module? Is it only available to download from ISE admin GUI, or is it available at CCO?
Hi, We are getting below Alarm on ISE frequently. we verified COA enabled on WLC and there is no impact on users as we didnt receive any complain from users. Dynamic Authorization Failed for Device : Server=ISE-1; Network Device Name=WLC WLC Firmware = 8....
the Cisco CPN Client for a long time to connect to a VPN Server. Now I've got a new machine with a Windows 7 64 bit. The Cisco VPN Client isn't avaiable in a 64 bit version. Cisco suggests to use Cisco AnyConnect instead because there'a 64 bit version ava...
May 2016Splunk is a powerful tool for analyzing information in your organization by collecting, storing, alerting, reporting, and analyzing machine data. With Cisco platform Exchange Grid (pxGrid) Splunk is able to proactively act on received network secu...