09-25-2007 10:31 AM - edited 03-11-2019 04:16 AM
Hello:
I'm getting the following types of log messages on my asa 5505 7.2.
65.32.5.74 PublicIP Deny udp src outside:65.32.5.74/53 dst inside:PublicIP/10521 by access-group "outside_access_in" [0x0, 0x0]
Basically another DNS server is trying to get some updates from me and it's being blocked. Can anyone help me to allow this type of traffic? Below is my config. Thanks much!
name 192.168.1.20 master
name 192.168.1.10 mail
name 192.168.1.3 yoda
name 6.7.8.10 PublicIP
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address PublicIP 255.255.255.248
ospf cost 10
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service www tcp-udp
description Web traffic
port-object eq www
access-list outside_access_in remark Allow for incoming FTP requests
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in remark Allow for incoming Secure SMTP requests
access-list outside_access_in extended permit tcp any interface outside eq 465
access-list outside_access_in remark Allow for incoming Secure IMAP requests
access-list outside_access_in extended permit tcp any interface outside eq 993
access-list outside_access_in remark Allow for incoming smtp requests
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Allow for incoming https requests
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit udp any interface outside eq domain
access-list outside_access_in remark Allow for incoming DNS requests
access-list outside_access_in extended permit tcp any interface outside eq domain
access-list outside_access_in remark Allow for incoming ssh requests
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in remark Allow for incoming http requests
access-list outside_access_in extended permit tcp any interface outside eq www
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www master www netmask 255.255.255.255
static (inside,outside) udp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface domain master domain netmask 255.255.255.255
static (inside,outside) tcp interface 465 mail 465 netmask 255.255.255.255
static (inside,outside) tcp interface 993 mail 993 netmask 255.255.255.255
static (inside,outside) tcp interface https mail https netmask 255.255.255.255
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255
static (inside,outside) tcp interface ssh yoda ssh netmask 255.255.255.255
static (inside,inside) PublicIP master netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 6.7.8.9 1
09-25-2007 10:35 AM
"Basically another DNS server is trying to get some updates from me and it's being blocked. Can anyone help me to allow this type of traffic?"
-Are you sure. I would think if that were the case you would see the destination port be 53 not the source, like this...PublicIP/53
09-25-2007 10:43 AM
Not positive, but that IP address definitely resolves to my ISPs "big" DNS in the sky. What does the logger line appear to be blocking? All I know is that all of a sudden some of the domains I hold DNS entries for are having some issues and I noticed all these denied packets on the DNS port. Thanks for any suggestions.
09-25-2007 10:48 AM
It looks to me like the external dns server is replying to a request from an inside host when the connection in the firewall has already been torn down. Therefore there is no associated connection in the ASA and it drops the packet.
09-25-2007 11:02 AM
Hmm.. OK, is that likely to happen from time-to-time?
Also, I'm seeing these as well, are these also considered 'normal'
74.237.237.158 PublicIP Deny TCP (no connection) from 74.237.237.158/50518 to PublicIP/80 flags FIN ACK on interface outside
Thanks for your help!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide