cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3452
Views
0
Helpful
1
Replies

DNS queries on ASA are being blocked/intercepted!?!?!

jchrisos
Level 1
Level 1

DNS queries from an inside interface (high security level) are not making it out of the outside interface (zero security level).

Here's the error:

Dec 20 2007 08:17:43: %ASA-2-106007: Deny inbound UDP from 192.168.1.10/1442 to a.b.129.157/53 due to DNS Query

Dec 20 2007 08:17:43: %ASA-2-106007: Deny inbound UDP from 192.168.1.10/1442 to a.c.153.146/53 due to DNS Query

Tried no dns-guard, removing dns fixup, etc.

I can get to a web server buy IP address - that works fine and I see it hit the ACLs when I show logg, but doesn't work by dns/hostname.

Here is my config:

ciscoasa(config)# sh run

: Saved

:

ASA Version 7.0(7)

!

hostname ciscoasa

enable password xxxxxxxxxxxxxxx encrypted

names

no dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.224

!

interface Ethernet0/1

description LAN Segment

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd xxxxxxxxxxxxxxxxx encrypted

ftp mode passive

dns domain-lookup inside

dns name-server a.b.c.d

dns name-server e.f.g.h

access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 host a.b.c.d eq domain log

access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 host e.f.g.h eq domain log

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq www log

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https log

access-list inside_access_in extended deny ip any any log

access-list outside_access_in extended deny ip any any log

pager lines 24

logging enable

logging timestamp

logging monitor notifications

logging buffered debugging

logging trap notifications

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

dhcpd address 192.168.1.10-192.168.1.25 inside

dhcpd dns a.b.c.d e.f.g.h

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

Cryptochecksum:

: end

1 Reply 1

jchrisos
Level 1
Level 1

Oh man. My bad.

route inside 0.0.0.0 0.0.0.0 x.x.x.x 1 needed to be route outside...

Review Cisco Networking for a $25 gift card