Re: ASA 5520 permit dns through firewall

dbakula01 · ‎08-11-2006

i have a box that sits in my DMZ that i can't get dns resolution from an internal dns server on our internal network, ip 192.168.1.8

i am having trouble get the requests through the fire, any help would be appreciated

below is my config

interface GigabitEthernet0/0

description Inside Interface

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description DMZ interface

nameif DMZ

security-level 0

ip address 10.10.50.1 255.255.255.0

access-list dmz extended permit ip host 10.10.50.20 any

access-list dmz extended permit tcp host 10.10.50.20 192.168.1.0 255.255.255.0 eq 8443

access-list dmz extended permit ip host 10.10.50.20 host 192.168.1.4

access-list dmz extended permit tcp host 10.10.50.20 host 192.168.1.4 eq smtp

access-list dmz extended permit tcp host 10.10.50.20 host 192.168.1.4 eq pop3

access-list dmz extended permit ip host 10.10.50.50 any

access-list dmz extended permit ip host 10.10.50.50 192.168.1.0 255.255.255.0

access-list dmz extended permit tcp host 10.10.50.50 192.168.1.0 255.255.255.0 eq 3389

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 host 192.168.2.8 eq domain

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 host 192.168.1.8 eq domain

access-list outside_in extended permit icmp any any

access-list outside_in extended permit udp any eq domain any

access-list outside_in extended permit tcp any host xxxxxxxxx eq www

access-list outside_in extended permit tcp any host xxxxxxxxx eq https

access-list outside_in extended permit tcp any host xxxxxxxxx eq pptp

!

tcp-map mss-map

exceed-mss allow

!

pager lines 24

logging enable

logging monitor informational

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

no failover

icmp permit any Inside

icmp permit any DMZ

icmp permit any Outside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 192.168.1.0 255.255.255.0

nat (Inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 1 10.10.50.0 255.255.255.0

a.kiprawih · ‎08-12-2006

Hi,

How about resolution from 192.168.2.8? is it ok? BTW, how's the access from DMZ to inside? Can you share other remaining config info such as static, etc?

The statement ACL looks ok for DMZ to access inside host.

Rgds,

AK

dbakula01 · ‎08-14-2006

interface GigabitEthernet0/0

description Inside Interface

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet0/1

description DMZ interface

nameif DMZ

security-level 0

ip address 10.10.50.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description Outside Interface for our Expediant Line

nameif Outside

security-level 0

ip address xxxxxxxxxx 255.255.255.240

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

passwd xxxxxxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxxxxx

same-security-traffic permit inter-interface

access-list CSC extended permit ip any any

access-list Outbound_ACL standard permit any

access-list dmz extended permit ip host 10.10.50.20 any

access-list dmz extended permit tcp host 10.10.50.20 192.168.1.0 255.255.255.0 eq 8443

access-list dmz extended permit ip host 10.10.50.20 host 192.168.1.4

access-list dmz extended permit tcp host 10.10.50.20 host 192.168.1.4 eq smtp

access-list dmz extended permit tcp host 10.10.50.20 host 192.168.1.4 eq pop3

access-list dmz extended permit ip host 10.10.50.50 any

access-list dmz extended permit ip host 10.10.50.50 192.168.1.0 255.255.255.0

access-list dmz extended permit tcp host 10.10.50.50 192.168.1.0 255.255.255.0 eq 3389

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 host 192.168.2.8 eq domain

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 host 192.168.1.8 eq domain

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 192.168.0.0 255.255.0.0 eq 1031

access-list dmz extended permit icmp any any

access-list dmz extended permit udp 10.10.50.0 255.255.255.0 192.168.0.0 255.255.0.0 eq domain

access-list outside_in extended permit icmp any any

access-list outside_in extended permit udp any eq domain any

access-list outside_in extended permit tcp any host xxxxxxxxxx eq www

access-list outside_in extended permit tcp any host xxxxxxxxxx eq https

access-list outside_in extended permit tcp any host xxxxxxxxxx eq pptp

!

tcp-map mss-map

exceed-mss allow

!

pager lines 24

logging enable

logging monitor informational

logging asdm informational

mtu Inside 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

no failover

icmp permit any Inside

icmp permit any DMZ

icmp permit any Outside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 192.168.1.0 255.255.255.0

nat (Inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 1 10.10.50.0 255.255.255.0

static (Inside,Outside) xxxxxxxxxx 192.168.1.4 netmask 255.255.255.255

static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (DMZ,Outside) xxxxxxxxxx 10.10.50.50 netmask 255.255.255.255

static (DMZ,Outside) xxxxxxxxxx 10.10.50.20 netmask 255.255.255.255

access-group dmz in interface DMZ

access-group outside_in in interface Outside

route Inside 192.168.0.0 255.255.0.0 192.168.1.1 1

route Outside 0.0.0.0 0.0.0.0 207.54.182.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password mKYTG3oCAANq6D8j encrypted

http server enable

http 192.168.1.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

snmp-server host Inside 192.168.1.185 community xxxxxxxxxx

no snmp-server location

no snmp-server contact

snmp-server community hostdcp1191

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 Inside

telnet timeout 20

ssh 192.168.1.0 255.255.255.0 Inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map dns-port

match port udp eq domain

class-map CSC-class

match access-list CSC

a.kiprawih · ‎08-15-2006

Hi,

Try add the following static map for the DMZ to inside segment running 192.168.2.0/24.

The current static see below) allows your DMZ to access the DNS is 192.168.1.0/24 segment, but no access (no static map) to 192.168.2.0/24.

static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 --> ok

static (Inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 --> add this..

Rgds,

AK

a.kiprawih · ‎08-15-2006

Pls ignore the above post as I have mistakenly point to wrong solution.

Since the issue was only involving a single box/host in your DMZ, can other hosts talk to the DNS server (192.168.1.8)?

The static map "static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0" allows your whole DMZ to talk to Inside hosts without address translation, and this should work with the whole subnet.

If only one (1) host is affected, then it might be issue with the host itself. I did not see any ACL denying specific host talking to the 192.168.1.8.

BTW, do you see any deny statement in the firewall log when that particular host tries to resolve/communicate with the DNS server?

Rgds,

AK