09-09-2014 05:16 AM - edited 03-11-2019 09:43 PM
Hi,
dnslookp on Cisca ASA works :
fw-asa/pri/act# ping imap.gmail.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.194.67.109, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/30 ms
object network obj-imap.gmail.com
fqdn v4 imap.gmail.com
access-list ACL_APP extended permit tcp host 192.168.100.81 object obj-imap.gmail.com eq 993
WHY acl above have hit=0 ? acl works I'm sure cause if I disable it then 192.168.100.81 cannot connect to imap.gmail.com
ALSO on syslog server searching for destination fqdn there is no entry
Solved! Go to Solution.
09-09-2014 06:45 AM
The FQDN-object is only used to populate the ACL with ACEs that have the corresponding IP(s) as the destination. These Lines have the relevant hitcounts. On the log, you also have to search for the real IP which would be 173.194.67.109 in your example.
09-09-2014 06:45 AM
The FQDN-object is only used to populate the ACL with ACEs that have the corresponding IP(s) as the destination. These Lines have the relevant hitcounts. On the log, you also have to search for the real IP which would be 173.194.67.109 in your example.
09-11-2014 08:17 AM
Thanks for your answer.
I'm facing some problems anyway, I have two firewalls and same dns server,
the first one ASA:
fw-asa1/pri/act# sh dns host pop.gmail.com
Name: pop.gmail.com
Address: 173.194.66.109 TTL 11:35:28
Address: 173.194.66.108 TTL 11:35:28
Address: 173.194.78.108 TTL 03:48:47
Address: 173.194.78.109 TTL 03:48:47
..while the second one ASA:
fw-asa2/pri/act# sh dns host pop.gmail.com
Name: pop.gmail.com
Address: 173.194.66.109 TTL 11:35:34
Address: 173.194.66.108 TTL 11:35:34
Address: 173.194.78.108 TTL 10:44:28
Address: 173.194.78.109 TTL 10:44:28
Address: 173.194.67.109 TTL 10:49:28
Address: 173.194.67.108 TTL 10:49:28
I cant understand the reason why they have different entries. Sometimes something is missing so traffic to pop.gmail.com is blocked. Server which has to connect by pop to gmail pop server is targeting pop.gmail.com resolving it through the same dns server used by ASA. Do I have to work with timers (I've changed expire timeout to 12 hours but there are still some missed entries sometimes)? Don't really know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide