11-26-2008 09:59 AM - edited 03-11-2019 07:18 AM
Hi,
I'm trying to setup public DNS Servers in a DMZ using an ASA 5505. The DNS server is also a web host and I can access the web server via port 80 using the static ip.
The issue is that UDP dns requests are dropped:
Deny udp src outside:68.87.71.227/23665 dst Hosting:CommDns1Mail1/53 by access-group "outside_access_in"
the packet trace indicates a inspect-dns-invalid-pak error
Can anyone tell what is wrong with my configuration?
Thanks in for you help!
April
ASA Version 7.2(2)
interface Vlan1
nameif inside
security-level 100
interface Vlan2
nameif outside
security-level 0
interface Vlan22
nameif Hosting
security-level 50
ftp mode passive
dns server-group DefaultDNS
domain-name zzzzzz.com
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any eq domain host CommDns1Mail1 eq domain
access-list outside_access_in extended permit udp any eq domain host CommDns1Mail1 eq domain
access-list outside_access_in extended permit tcp any host CommDns1Mail1 eq www
access-list outside_access_in extended permit tcp any eq imap4 host CommDns1Mail1 eq imap4
access-list outside_access_in extended permit tcp any eq pop3 host CommDns1Mail1 eq pop3
access-list outside_access_in extended permit tcp any eq smtp host CommDns1Mail1 eq smtp
access-list outside_access_in extended permit tcp host CommDns1Mail1 eq www any eq www
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Hosting 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 3 CommDns1Mail1 netmask 255.255.255.255
nat (Hosting) 3 DWDEV01 255.255.255.255
static (Hosting,outside) tcp CommDns1Mail1 www DWDEV01 www netmask 255.255.255.255
static (Hosting,outside) tcp CommDns1Mail1 smtp DWDEV01 smtp netmask 255.255.255.255
static (Hosting,outside) tcp CommDns1Mail1 domain DWDEV01 domain netmask 255.255.255.255
static (Hosting,outside) udp CommDns1Mail1 domain DWDEV01 domain netmask 255.255.255.255 dns
static (Hosting,inside) CommDns1Mail1 DWDEV01 netmask 255.255.255.255
static (inside,Hosting) 192.1.1.0 192.1.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
no dns-guard
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
11-26-2008 10:07 AM
In your ACL you're stating the source port should be UDP 53 which for lookups it's random. For zone transfers it is static ports. Here's the line in the ACL-
access-list outside_access_in extended permit udp any eq domain host CommDns1Mail1 eq domain
Change or add to look like this-
access-list outside_access_in extended permit udp any host CommDns1Mail1 eq domain
Hope that helps.
11-26-2008 10:14 AM
Hi,
That seemed to work! Wow, Thanks! (i've been struggling so much to try to understand this stuff - it is really another world!)
Thanks for your help and have a happy Thanksgiving!
Cheers,
April
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide