Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
3
Replies

Cisco ASA 5505 Blocking LAN Domain Queries

Richard Lawes
Level 1
Level 1

‎12-07-2012 09:03 PM - edited ‎03-11-2019 05:35 PM

Hi guys,

Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.

1: they are all connected to the inside VLAN directly via the ASA's switch ports.

2: the are all in the same 255.255.255.0 subnet including the ASA inside interface

3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking

I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.

Errors:

2      Dec 08 2012      12:02:41      106007      10.50.15.117      55068      DNS            Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query

Result of the command: "show run"


: Saved

:

ASA Version 8.2(1)

!

hostname xxxxx-ASA5505

domain-name xxx.local

enable password

passwd

names

name 10.50.17.0 Hobart description Hobart

name 10.50.16.0 Launceston description Launceston

name 10.50.18.0 Burnie description Burnie

name 10.50.24.0 Devonport description Devonport

name 10.50.23.0 burniewilmot description burniewilmot

name 10.50.35.0 Warrnamboolmain description warrnamboolmain

name 10.50.30.0 hamilton description hamilton

name 10.50.20.0 Portland description Portland

name 10.50.31.0 Camperdown description Camperdown

name 10.50.32.0 wboolsh description wboolsh

name 10.50.33.0 wblthy description wblthy

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address 10.50.15.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 111.223.228.154 255.255.255.248

!

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

domain-name xxx.local

object-group service IpPrinting tcp

port-object eq 9100

object-group icmp-type icmp

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group network dns_servers

network-object host 10.50.15.5

object-group service domain udp

port-object eq domain

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any eq domain

access-list inside_access_in extended permit udp any any object-group domain

access-list outside_access_in extended permit ip any any inactive

access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp

access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www

access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248

access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0

access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0

access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0

access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0

access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0

access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0

access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0

access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0

access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0

access-list dmz_access_in extended permit tcp any interface outside eq www inactive

access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp

pager lines 24

logging enable

logging asdm warnings

mtu inside 1300

mtu outside 1300

mtu dmz 1500

ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.50.15.0 255.255.255.0

static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255

static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255  dns

static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255  dns

static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 111.223.228.153 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.50.15.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df outside

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 58.96.86.56

crypto map outside_map 1 set transform-set esp-des-sha

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 1 match address outside_1_cryptomap_1

crypto map outside_map0 1 set peer 59.167.207.106

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 2 match address outside_2_cryptomap

crypto map outside_map0 2 set peer 59.167.204.53

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 3 match address outside_3_cryptomap

crypto map outside_map0 3 set pfs

crypto map outside_map0 3 set peer 203.45.159.34

crypto map outside_map0 3 set transform-set ESP-3DES-SHA

crypto map outside_map0 4 match address outside_4_cryptomap

crypto map outside_map0 4 set peer 203.45.134.39

crypto map outside_map0 4 set transform-set ESP-3DES-SHA

crypto map outside_map0 5 match address outside_5_cryptomap

crypto map outside_map0 5 set peer 58.96.75.47

crypto map outside_map0 5 set transform-set ESP-3DES-SHA

crypto map outside_map0 6 match address outside_6_cryptomap

crypto map outside_map0 6 set peer 58.96.85.151

crypto map outside_map0 6 set transform-set ESP-3DES-SHA

crypto map outside_map0 7 match address outside_7_cryptomap

crypto map outside_map0 7 set peer 58.96.78.238

crypto map outside_map0 7 set transform-set ESP-3DES-SHA

crypto map outside_map0 8 match address outside_8_cryptomap

crypto map outside_map0 8 set peer 58.96.69.82

crypto map outside_map0 8 set transform-set ESP-3DES-SHA

crypto map outside_map0 9 match address outside_9_cryptomap

crypto map outside_map0 9 set peer 58.96.83.244

crypto map outside_map0 9 set transform-set ESP-3DES-SHA

crypto map outside_map0 10 match address outside_10_cryptomap

crypto map outside_map0 10 set peer 58.96.80.122

crypto map outside_map0 10 set transform-set ESP-3DES-SHA

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.50.15.50-10.50.15.55 inside

dhcpd dns 10.50.15.5 interface inside

!


no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 130.194.10.150

webvpn

group-policy xxx internal

group-policy xxx attributes

dns-server value 10.50.15.5

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

dhcp-network-scope 14.0.0.0

vpn-tunnel-protocol IPSec webvpn

ipv6-address-pools none

group-policy vpnusers internal

group-policy vpnusers attributes

dns-server value 10.50.15.5 139.130.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnusers_splitTunnelAcl

username aspireremote password

username aspireremote attributes

service-type remote-access

username richard.lawes password

username netscreen password

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool (outside) vpnclient

address-pool vpnclient

default-group-policy GroupPolicy1

dhcp-server 192.168.0.5

tunnel-group TunnelGroup1 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group vpnusers type remote-access

tunnel-group vpnusers general-attributes

address-pool vpnclient

default-group-policy vpnusers

tunnel-group vpnusers ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 59.167.207.106 type ipsec-l2l

tunnel-group 59.167.207.106 ipsec-attributes

pre-shared-key *

tunnel-group aspirevpn type remote-access

tunnel-group aspirevpn general-attributes

address-pool vpnclient

default-group-policy xxxvpn

tunnel-group xxxvpn ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 59.167.204.53 type ipsec-l2l

tunnel-group 59.167.204.53 ipsec-attributes

pre-shared-key *

tunnel-group 203.45.159.34 type ipsec-l2l

tunnel-group 203.45.159.34 ipsec-attributes

pre-shared-key *

tunnel-group 203.45.134.39 type ipsec-l2l

tunnel-group 203.45.134.39 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 58.96.75.47 type ipsec-l2l

tunnel-group 58.96.75.47 ipsec-attributes

pre-shared-key *

tunnel-group 58.96.85.151 type ipsec-l2l

tunnel-group 58.96.85.151 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 58.96.78.238 type ipsec-l2l

tunnel-group 58.96.78.238 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 58.96.69.82 type ipsec-l2l

tunnel-group 58.96.69.82 ipsec-attributes

pre-shared-key *

tunnel-group 58.96.83.244 type ipsec-l2l

tunnel-group 58.96.83.244 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group 58.96.80.122 type ipsec-l2l

tunnel-group 58.96.80.122 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

!

!

prompt hostname context

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-07-2012 10:43 PM

Hello Richard,

My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.

Anyway try the following

same-security-traffic permit intra-interface

Let me know how it goes

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Richard Lawes
Level 1
Level 1
In response to Julio Carvajal

‎12-07-2012 11:10 PM

Nothing all that does is create a flood of portmap errors instead and the traffic still cant get through

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Richard Lawes

‎12-08-2012 08:05 AM

Hello Richard,

Check my private message,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card