Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5227
Views
0
Helpful
2
Replies

inspect-dns-invalid-pak question.

raga.fusionet
Level 10
Level 10

‎09-28-2011 03:13 PM - edited ‎03-11-2019 02:31 PM

Hi All,

One of our ASAs seems to be dropping DNS traffic. The users behind it complain that DNS seems to be blocked by the firewall.

The inspect config is the following:

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 2096

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

When checking packet tracer I see the following:

PAN# packet-tracer input inside udp 172.16.1.90 1028 8.8.8.8 53

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect dns _default_dns_map

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (200.46.224.34 [Interface PAT])

    translate_hits = 6809189, untranslate_hits = 990525

Additional Information:

Dynamic translate 172.16.1.90/1028 to 200.46.224.34/4051 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 2800, untranslate_hits = 0

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13772158, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

The logs are showing this:

PAN# sh log | inc 172.16.1.90

%ASA-6-302015: Built outbound UDP connection 13772299 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:172.16.1.90/55114 (200.46.224.34/4050)

%ASA-6-302016: Teardown UDP connection 13772299 for outside:8.8.8.8/53 to inside:172.16.1.90/55114 duration 0:00:00 bytes 406

%ASA-6-302015: Built outbound UDP connection 13772302 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:172.16.1.90/55114 (200.46.224.34/4050)

%ASA-6-302016: Teardown UDP connection 13772302 for outside:8.8.8.8/53 to inside:172.16.1.90/55114 duration 0:00:00 bytes 199

Why is the Action Drop on the packet tracer? Shouldnt that be an allow?

Thanks.

Raga

Labels:
0 Helpful
2 Replies 2

raga.fusionet
Level 10
Level 10

‎09-28-2011 03:38 PM

Weird ...

I noticed that it worked for non DNS UDP Ports, ie. any other port number other than 53. So I disabled the inspection for DNS and it seems to be working now:

PAN# packet-tracer input inside udp 172.16.1.90 1028 8.8.8.8 53

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (200.46.224.34 [Interface PAT])

    translate_hits = 6810141, untranslate_hits = 990562

Additional Information:

Dynamic translate 172.16.1.90/1028 to 200.46.224.34/4058 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 2800, untranslate_hits = 0

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13774236, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 200.x.x.33 using egress ifc outside

adjacency Active

next-hop mac address 000b.bf34.b35b hits 414

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

0 Helpful

raga.fusionet
Level 10
Level 10
In response to raga.fusionet

‎09-28-2011 03:39 PM

Any comments or suggestions on why the inspect failed would be appreciated

have a good one.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card