I'm bringing up a connection to a remote data center. The data center is separated by an ASA5585x running software 9.3(1). Can access the remote servers just fine, but they can't communicate with our DNS server. When they query, I see this in the ASA's logs:
[2015-01-02 14:56:58 GMT-08:00] (CONTEXT) 106007: Deny inbound UDP from 184.108.40.206/38583 to 220.127.116.11/53 due to DNS Query
18.104.22.168 is the IP of the server and 22.214.171.124 is the DNS server. The traffic is permitted in the ACL, but when I run packet tracer, it shows denied. I don't think this is an issue with DNS inspection, since other servers can talk to DNS just fine. Manual says this:
Explanation This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.
I don't understand why I'd need a translation entry. The client and server are both on two different internal interfaces and NAT is not applicable.
I found the mention of DNS was a complete red herring. The issue was that the two inside interfaces had the same security level. "same-security-traffic permit inter-interface" was the quick fix, or I could have changed security levels to be different.
Hi,I have a very simple question; we have two ASA 5585-X working in Active/Standby Mode with multiuser Contexts.Normally Primary Unit is active for failover group 1 and 2; Secondary Unit is standby !At the moment our Secondary Unit is completely disconnec...
Meet the Authors Event - CCIE Security and Practical Applications in Today’s Network: Zero Trust
(Live event – Thursday, 29th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This event will have place on Thursday 29th, October 2020 at 1...
My company uses Microsoft Azure AD, and I sign into all my applications using that account. Can I use that account when I sign in?
Yes - all applications that support SecureX sign-on allow direct login with your Microsoft Azure AD accou...
@Rob Ingram @balaji.bandi @Marius Gunnerud Hi Guys, Does ASA saves any logs by default? logs means if some sort suspicious activity happen within network and we want to see what Firewall saw at that time.I...
Attackers will always target the "low hanging fruit": devices that have passed end-of-software maintenance and end-of-support. A few years ago, Cisco described the evolution of attacks against infrastructure devices. All of the attacks discussed in t...