12-20-2007 08:39 AM - edited 03-12-2019 05:53 PM
DNS queries from an inside interface (high security level) are not making it out of the outside interface (zero security level).
Here's the error:
Dec 20 2007 08:17:43: %ASA-2-106007: Deny inbound UDP from 192.168.1.10/1442 to a.b.129.157/53 due to DNS Query
Dec 20 2007 08:17:43: %ASA-2-106007: Deny inbound UDP from 192.168.1.10/1442 to a.c.153.146/53 due to DNS Query
Tried no dns-guard, removing dns fixup, etc.
I can get to a web server buy IP address - that works fine and I see it hit the ACLs when I show logg, but doesn't work by dns/hostname.
Here is my config:
ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(7)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
names
no dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.224
!
interface Ethernet0/1
description LAN Segment
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns domain-lookup inside
dns name-server a.b.c.d
dns name-server e.f.g.h
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 host a.b.c.d eq domain log
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 host e.f.g.h eq domain log
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https log
access-list inside_access_in extended deny ip any any log
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging buffered debugging
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.10-192.168.1.25 inside
dhcpd dns a.b.c.d e.f.g.h
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Cryptochecksum:
: end
12-20-2007 09:45 AM
Oh man. My bad.
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1 needed to be route outside...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide