Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
20
Helpful
6
Replies

Traffic Allow from Firewall

Warshad
Level 1
Level 1

‎12-21-2022 10:57 AM

When commissioning the two new Windows VMs. We have a problem with the deployment

There, the servers to be installed can not reach the DNS server and it looks as if it does not go on in your customer network.

It seems traffic needs to be allow from Firewall. I have very basic understanding with Firewalls. I guess i need to create a ACL to allow traffic from  Source 172.31.200.0/24 and 172.16.1.93 and  172.16.1.93 Destination. Correct me if i am wrong? What the command i should use to allow the traffic for  172.31.200.0/24?

I need to allow the complete subnet 172.31.200.0/24

 

The server has the following IP configuration:

Warshad_0-1671648186045.png

 

 

NSLOOKUP ends with each request in a timeout:

Warshad_1-1671648186047.png

 

 

Tracert:

Here we get to the customer network and then it's over.

Warshad_2-1671648186051.png

A server in the same subnet (SAP-GBN-102-W) can reach the DNS and the queries are answered!

Regards,

Arshad

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎12-21-2022 11:12 AM

I take this FW as ASA - then Look at the below ACL for reference ,  if you have asdm then its easy to allow.

https://community.cisco.com/t5/network-security/cisco-asa-create-acl-for-dns/td-p/3063461

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Warshad
Level 1
Level 1
In response to balaji.bandi

‎12-21-2022 11:20 AM

Thank you for reply. Yes, Its a Cisco ASA.  We also have ASDM. Could you please provide any reference guide for ASDM.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Warshad

‎12-21-2022 11:49 AM

Not sure how is your topology of you network : if you looking to allowed your Local network to reach DNS Server, that was failing (may resolve your issue).

https://www.youtube.com/watch?v=so0ExziTt2A

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World
VIP
VIP

‎12-21-2022 11:33 AM - edited ‎12-21-2022 11:51 AM

traceroute show many hops without success ?
what is 172.31.255.10 ?
from there start your troubleshooting.

0 Helpful

Warshad
Level 1
Level 1
In response to MHM Cisco World

‎12-21-2022 11:53 AM

172.31.255.10  is a dmz switch and there is Cisco ASA after this switch. so it means i have to allow the traffic from that firewall. could you please provide me any guide for Cisco ASDM?

MHM Cisco World
VIP
VIP
In response to Warshad

‎12-21-2022 12:01 PM

ASA 8.X and later: Add or Modify an Access List through the ASDM GUI Configuration Example - Cisco

your DNS server is 172.16.1.93  ? and I think this Server connect to other DMZ or to INside ?
if yes then you need to 
1-if DNS server in DMZ/IN that have same security level then you need 
same security traffic permit inter-interface 
2- if the DNS server in DMZ/IN with different security level you need 
acl permit udp any host x.x.x.x 53 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card