Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
619
Views
0
Helpful
2
Replies

Cisco ASA 9.7 Stateful Connection Database

Kenan Muharemagic
Level 1
Level 1

ā€Ž04-20-2017 06:16 AM - edited ā€Ž03-12-2019 02:14 AM

Hi guys,

I have a weird situation with the Cisco ASA 9.7...

Below is a sample scenarion

Inside -> INSIDE_ACL_IN -> ASA - > Outside

Outside -> OUTSIDE_ACL_IN -> ASA -> Inside

I allow DNS queries from Inside to Outside to a DNS server (UDP/53)

access-list INSIDE_ACL_IN extended permit udp 10.0.0.0 255.255.255.0 host 10.10.10.10 eq 53 log

...

access-list OUTSIDE_ACL_IN extended deny ip any any log

The logs show that the ASA permit the DNS request from the client to the server by ACL INSIDE_ACL_IN, however the OUTSIDE_ACL_IN denies the DNS response... It's as if the ASA has no state in the DB...

I do have a FirePOWER module active... Has anything changed regarding the inspection algorithm on the ASA in 9.7?

Should I specify an ACL to allow all responses? Does the info at this post still apply: https://learningnetwork.cisco.com/thread/71026

Regards,

K

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

ā€Ž04-20-2017 07:11 AM

You're correct - this is unexpected behavior.

The "state" (or more accurately existence a connection record for the udp flow) should be retained and that would take precedence of the inbound OUTSIDE_ACL_IN access list.

I would recommend checking for the connection in the state table while your're trying the DNS lookup. something like:

show conn | i 10.10.10.10
0 Helpful

Kenan Muharemagic
Level 1
Level 1
In response to Marvin Rhoads

ā€Ž05-16-2017 04:54 AM

Edit: The xlate per-session has nothing to do with it. I have downgraded to 9.6.3-1 as the recommended version.

The issue keeps coming up and going away.

May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN4_IA permitted tcp ZA_IA/192.168.4.44(64534) -> ZA_VD/192.168.5.81(4118) hit-cnt 1 first hit [0x5c75551f, 0xc527b822]
May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN4_IA permitted tcp ZA_IA/192.168.4.44(64536) -> ZA_VD/192.168.5.87(4118) hit-cnt 1 first hit [0x5c75551f, 0xc527b822]
May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN4_IA permitted tcp ZA_IA/192.168.4.44(64537) -> ZA_VD/192.168.5.86(4118) hit-cnt 1 first hit [0x5c75551f, 0xc527b822]
May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN5_VD denied tcp ZA_VD/192.168.5.81(4118) -> ZA_IA/192.168.4.44(64534) hit-cnt 1 first hit [0x20264fcc, 0x9a0090d9]
May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN5_VD denied tcp ZA_VD/192.168.5.87(4118) -> ZA_IA/192.168.4.44(64536) hit-cnt 1 first hit [0x20264fcc, 0x9a0090d9]
May 16 2017 13:34:23: %ASA-6-106100: access-list VLAN5_VD denied tcp ZA_VD/192.168.5.86(4118) -> ZA_IA/192.168.4.44(64537) hit-cnt 1 first hit [0x20264fcc, 0x9a0090d9]

As you can see, ACL VLAN4_IA permits the connection however ACL VLAN5_VD drops the return traffic.

I managed to get one of the connections, I was not fast enough to catch all of them.

TCP ZA_VD 192.168.5.81:4118 ZA_IA 192.168.4.44:64885, idle 0:00:00, bytes 180, flags UOX

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card