Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

ASA5510, internal, deny inbound, due to DNS QueryHelpful Member! 

netjess (MIS) (OP)
19 Aug 11 11:22
I have a ASA5510 ASA v7.0(8) in routed firewall mode. It is setup as the internal router and default gateway.
I was asked to set up a wireless router, I chose a D-Link DIR-815.
I have it all set up but I cannot get any name resolution.
the firewall is blocking traffic that is all internal.
the message in the log is: Deny inbound UDP from 192.168.1.246/xxxx to 192.168.1.10/53 due to DNS Query.

.246 being the "WAN" port my wireless router and .10 being my DNS server.

I tried adding an ACL "access-list dns extended permit udp any eq 53 any" but this didn't help.

Any ideas? Thanks.
brianinms (MIS)
19 Aug 11 19:53
Are you sure you have your subnet mask correct on the wireless router? It sounds like you would be better with an AP than a router.
netjess (MIS) (OP)
20 Aug 11 20:33
The subnet is OK, I can access the admin console at the IP 192.168.1.246. I used a router to segregate the wireless traffic from the reular LAN traffic.
captsnappy (Programmer)
23 Aug 11 14:50
I bet posting your config would help....
netjess (MIS) (OP)
24 Aug 11 15:41
I am leary about just posting my config to an open forum. I would however PM a copy to someone that asks.
netjess (MIS) (OP)
24 Aug 11 15:55
Some other information, It must have something to do with the way the w-router sends the packets.
I set it up like an AP just using the LAN ports and putting the same IP 192.168.1.246/24 address as the device IP and it works just fine. Also in regular setup if you knew the IP you could pass traffic just fine only trouble was if a DNS query is required does it fail.
Helpful Member!  unclerico (IS/IT--Management)
24 Aug 11 18:40
netjess, don't worry about posting your config. sanitize it and post it. it is very hard for us to troubleshoot without seeing what you've got configured.

it doesn't make sense for the ASA to even see the DNS traffic since your WAN port and the DNS server are in the same broadcast domain. once again, a sanitized config will help here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

netjess (MIS) (OP)
25 Aug 11 11:40
Well, OK, Here it is.

ASA Version 7.0(8)
!
hostname PrimaryASA5510
domain-name grunt.com
enable password encrypted
passwd encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.210.181.244 255.255.255.128
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.1.254 255.255.255.0
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
access-list outside_acl extended permit tcp any host 66.210.181.181 eq www
access-list outside_acl extended permit tcp any host 66.210.181.141 eq smtp
access-list outside_acl extended permit tcp any host 66.210.181.141 eq www
access-list outside_acl extended permit tcp any host 66.210.181.230 eq smtp
access-list outside_acl extended permit tcp any any eq https inactive
access-list outside_acl extended permit tcp any any eq www
access-list dns extended permit udp any eq domain any
access-list dns extended permit udp any any eq domain
access-list dns extended permit tcp any any eq domain
pager lines 15
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
logging facility 23
logging host inside 192.168.1.10
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609001
no logging message 302016
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool Remote 192.168.194.1-192.168.194.254
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover link FAILOVER Ethernet0/3
failover interface ip FAILOVER 10.1.253.254 255.255.255.252 standby 10.1.253.253
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.210.181.190 192.168.1.190 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 66.210.181.129 1
route inside 192.168.0.0 255.255.255.0 192.168.1.246 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 207.67.3.200 community
no snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map2 40 set security-association lifetime seconds 28800
crypto dynamic-map map2 40 set security-association lifetime kilobytes 4608000
crypto map VpnMap 20 match address l2lvpn
crypto map VpnMap 20 set peer
crypto map VpnMap 20 set transform-set esp-3des-sha
crypto map VpnMap 20 set security-association lifetime seconds 28800
crypto map VpnMap 20 set security-association lifetime kilobytes 4608000
crypto map VpnMap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp disconnect-notify
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server inside 192.168.1.28 /
ssl encryption des-sha1 rc4-md5
unclerico (IS/IT--Management)
25 Aug 11 14:01
ok, so from the looks of your config the DLINK is not NATing traffic. now it makes more sense. add same-security-traffic permit intra-interface to your config.  

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

netjess (MIS) (OP)
25 Aug 11 16:38
unclerico, Thanks.
 I will try that when I can get back to it. I'll post and let you know one way or the other.
netjess (MIS) (OP)
30 Aug 11 17:56
Well, I was hopefull but now I am getting the an error:

3|Aug 30 2011 16:08:21|305006: portmap translation creation failed for udp src inside:192.168.1.246/33780 dst inside:192.168.1.10/53

 I just don't get why it handles traffic from the WAN interface of the D-Link any different than another device on the internal network. I have tried this with the "enable DNS relay" on the D-Link both off and on.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close