Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I've upgraded some old PIXen to ASAs running 9.1(1) in the past few months, and have seen plenty of these:Apr 8 16:33:32 myasa %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 13 per second, max configured rate is 50; Current a...
How can I debug ASA (9.1(1)) DNS inspection? Specifically, the ASA is blocking the queries associated with dig requests like the following from ever reaching "the.name.server": dig @the.name.server -t ptr 1.2.3.4.reverse.somedomain.com.And I'd lik...
I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.I'd like to filter inbound Internet...
Simple question (I hope): I've got an ASA with an IP address of 10.1.1.1 on its inside interface and an IP address of 10.6.6.6 on its DMZ interface. I have an inside host, 10.1.1.2, which is able to ping the ASA's inside IP of 10.1.1.1. Should this...
We're looking for Cisco switches with the following attributes to serve as the core switches in a production network:1U (or close), fixed config20 or more 1GbE copper ports4 or more 1/10GbE fiber ports (SFP+)Not ridiculously expensiveSo far the close...
I'm going to take the lack of responses as a "no, it's not useful". I'm at the point where I'm considering just disabling scanning threat detection entirely, which is a bit of a shame since that's one of the more desirable features for a firewall, b...
Filed as Cisco bug Id CSCue87407:DNS: Inspection drops non in-addr.arpa PTR queries. Symptom:Non 'in-addr.arpa' PTR queries through an ASA firewall configured for DNS inspection will be dropped. For example a PTR query for IP 203.0.113.100 normall...
Turns out the ASA under 9.1(1) won't even resolve PTR requests under IN-ADDR.ARPA (uppercase) vs in-addr.arpa (lowercase)--e.g., it'll give the "Parsing of failed" message for a PTR query for 1.2.3.4.IN-ADDR.ARPA, even though that's inarguably a val...
So it looks like the problem is that the ASA rejects (or more specifically, fails to parse) any PTR query that starts with w.x.y.z but does not end in in-addr.arpa. For example, if you do "dig @6.6.6.6 -t ptr 1.2.3.4.in-addr.arpa." you'll get the fo...
Yeesh, how did I miss those? Thanks.This is what I see when I do "debug inspect dns packets" and then execute the specified dig command:asa# debug inspect dns packetsDNS request: Flags=100 (Qs=1 An=0 Au=0 Ad=0)Flow is regularPre-NAT (not 46) dn=1.2....
