About Joseph Da Rosa

Joseph Da Rosa · 04-09-2013

I've upgraded some old PIXen to ASAs running 9.1(1) in the past few months, and have seen plenty of these:Apr 8 16:33:32 myasa %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 13 per second, max configured rate is 50; Current a...

Joseph Da Rosa · 02-26-2013

How can I debug ASA (9.1(1)) DNS inspection? Specifically, the ASA is blocking the queries associated with dig requests like the following from ever reaching "the.name.server": dig @the.name.server -t ptr 1.2.3.4.reverse.somedomain.com.And I'd lik...

Joseph Da Rosa · 02-07-2013

I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.I'd like to filter inbound Internet...

Joseph Da Rosa · 01-15-2013

Simple question (I hope): I've got an ASA with an IP address of 10.1.1.1 on its inside interface and an IP address of 10.6.6.6 on its DMZ interface. I have an inside host, 10.1.1.2, which is able to ping the ASA's inside IP of 10.1.1.1. Should this...

Joseph Da Rosa · 10-23-2012

We're looking for Cisco switches with the following attributes to serve as the core switches in a production network:1U (or close), fixed config20 or more 1GbE copper ports4 or more 1/10GbE fiber ports (SFP+)Not ridiculously expensiveSo far the close...

Joseph Da Rosa · 04-12-2013

I'm going to take the lack of responses as a "no, it's not useful". I'm at the point where I'm considering just disabling scanning threat detection entirely, which is a bit of a shame since that's one of the more desirable features for a firewall, b...

Joseph Da Rosa · 03-03-2013

Filed as Cisco bug Id CSCue87407:DNS: Inspection drops non in-addr.arpa PTR queries. Symptom:Non 'in-addr.arpa' PTR queries through an ASA firewall configured for DNS inspection will be dropped. For example a PTR query for IP 203.0.113.100 normall...

Joseph Da Rosa · 02-26-2013

Turns out the ASA under 9.1(1) won't even resolve PTR requests under IN-ADDR.ARPA (uppercase) vs in-addr.arpa (lowercase)--e.g., it'll give the "Parsing of failed" message for a PTR query for 1.2.3.4.IN-ADDR.ARPA, even though that's inarguably a val...

Joseph Da Rosa · 02-26-2013

So it looks like the problem is that the ASA rejects (or more specifically, fails to parse) any PTR query that starts with w.x.y.z but does not end in in-addr.arpa. For example, if you do "dig @6.6.6.6 -t ptr 1.2.3.4.in-addr.arpa." you'll get the fo...

Joseph Da Rosa · 02-26-2013

Yeesh, how did I miss those? Thanks.This is what I see when I do "debug inspect dns packets" and then execute the specified dig command:asa# debug inspect dns packetsDNS request: Flags=100 (Qs=1 An=0 Au=0 Ad=0)Flow is regularPre-NAT (not 46) dn=1.2....

Member Since	‎10-23-2012 07:29 PM
Date Last Visited	‎07-18-2018 12:03 AM
Posts	21

User Statistics

User Activity

Is %ASA-4-733100 ever useful?

Debugging ASA DNS inspection

How to filter L2L traffic to a PIX (or ASA)

Should an inside host be able to ping the ASA DMZ interface IP?

Good low-density (~24-port) 1/10GbE switch?

Is %ASA-4-733100 ever useful?

Re: Debugging ASA DNS inspection

Re: Debugging ASA DNS inspection

Re: Debugging ASA DNS inspection

Re: Debugging ASA DNS inspection