08-01-2008 12:24 PM - edited 03-11-2019 06:24 AM
folks
me again!
i'm trying to allow DNS through an ASA 5540 but though i have a rule allowing the source to the correct destinations with 'domain' as the service the traffic is being denied
the traffic is udp whilst the domain service is TCP
i've tried adding a new DNS group as TCP-UDP but i get an error saying this is already created but when i try to select this group there are no groups available
any ideas what i'm doing wrong
thanks to anyone taking the time to reply again
Solved! Go to Solution.
08-02-2008 07:34 AM
michael,
Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.
You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.
HTH>
08-02-2008 07:34 AM
michael,
Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.
You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.
HTH>
08-03-2008 01:15 PM
andrew
many thanks for your reply
i had a better look at the rule and ticked udp rather than tcp!
thanks again
08-04-2008 12:26 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide