Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
521
Views
0
Helpful
3
Replies

ASA5510 and dns issues with email

Go to solution
Carlomd
Level 1
Level 1

‎01-14-2014 02:47 PM - edited ‎03-11-2019 08:29 PM

Hi all,

I have a fairly new install of 5510, been running good last couple of weeks, but I found out from our isp that I have my dns servers in the open for attacks when I had the access-list for incoming using port 53, so I took it out, and somehow now we're getting bounces from comcast and aol, and other sites.

  So I kept searching and I read here that some folks disabled inspect dns under global policy cause that caused issues with how dns is handled by the ASA, I did that too to try and see it helps but was getting the same thing, so basically some domains are not going through for email when I have port 53 blocked on the asa incoming, or would it be safe to open it again, but I will probably get that warning again from my isp saying I'm vulnerable. Kinda stumped on this right now and would like to see how you guys set your ASA to let dns flow correctly, here's my current config as well.

thanks in advanced.

Labels:
15373914-config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7

‎01-15-2014 08:50 AM

Hi,

You need to redesign your setup.

1. Move all the servers that definitely need access from outside world (web servervices, RDP etc) to DMZ (leaving everything in LAN and allowing access from outside - not recomended at all).

2. Evaluate the services that needs to be allowed from outside. It definitely needs on firm's requirements but looks like you have many ports open to outsude world.

3. Below link will give you some idea on how to mitigate network attacks..

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Thx

MS

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mvsheik123
Level 7
Level 7

‎01-15-2014 08:50 AM

Hi,

You need to redesign your setup.

1. Move all the servers that definitely need access from outside world (web servervices, RDP etc) to DMZ (leaving everything in LAN and allowing access from outside - not recomended at all).

2. Evaluate the services that needs to be allowed from outside. It definitely needs on firm's requirements but looks like you have many ports open to outsude world.

3. Below link will give you some idea on how to mitigate network attacks..

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Thx

MS

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to mvsheik123

‎01-15-2014 09:47 AM

Hi MS

  Thanks for the reply, I re-opened port 53 for my dns servers on the outside int incoming, mail flowed like normal again. Yeah I think I'm one of the last few that still has the old setup for a LAN and firewall, I need to get with the times and finally setup a DMZ. We have rdp, web, and owa, smtp and ftp basically, I'm googling around for now on info, and hopefully will get the hang of this setup.

thanks

carlo

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to Carlomd

‎01-15-2014 12:42 PM

Hi Carlo,

ISP systems will block for certain time and then release the ip. So, there is chance that you still experience issue once ISP notice any kind of attack from your IPs. I suggest you to hire a consultant and make necessary changes asap.

hth

MS

PS: Please rate helpful posts.

0 Helpful
Review Cisco Networking for a $25 gift card
Top