Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2012
  • Last Modified:

Cisco-ASA 5505, Basic firewall setup

We have a small network with a Windows server 2008 server, the windows server is network DNS and DHCP server, we used to use a D-Link router for connecting the network to Internet and everything was working fine, in Windows server I had the router as gateway and turned off the DNS and DHCP on router. We replaced the router with  a CISCO-ASA 5505 for better security, But the Internet from office doesn't work, Although I don't want DNS on the firewall but just for test I added the ISP DNS servers to the firewall, then the Internet started working but it act strange, it can connect to some web site but it can not find other sites, it seems like DNS problem, what should I do?
It seems if I don't have DNS on firewall, firewall block my windows server from connecting to remote DNS and if I add the DNS, it somehow conflict with windows DNS and somehow can not resolve some addresses. I don't want any DNS setting on firewall and I just want the firewall let the Windows DNS request through,
Please let me know if you need any more info, I included the Firewall configuration in the code part.
Thank you in advance - Sasan
 
ASA Version 8.0(4) 
!
hostname ciscoasa
domain-name disternetdomain.com
enable password XXXXXXXXXXXXX encrypted
passwd XXXXX.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.252.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 64.59.144.90
 name-server 64.59.144.91
 name-server 64.59.144.18
 name-server 64.59.144.19
 domain-name disternetdomain.com
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.22.0.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a66a5ecb6f3cc9f767ef3302e0910b8b
: end

Open in new window

0
esasan
Asked:
esasan
1 Solution
 
bignewfCommented:
Get rid of these:

access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside


The asa by default allows all traffic inside>out unless blocked by access lists
I see many issues with the access-group inside command like you are having.

Generally, you don't need to specify internet servers in the asa, so first remove the above access-lists and try.
generally, if the inside hosts point to a dns server in their configuration, whether form dns forwarders in the internal dns server or on their nic configuration,

then the external dns server ip's should not be necessary in the asa.
As long as there are no access-lists blocking outbound traffic, you should be fine.

It is rare you need to open udp port 53 from outside>inside on the asa for this issue.
0
 
esasanAuthor Commented:
Before I read your comment, I did following:
1. Removed all DNS entries from ASA.
2. Activate DNS lookup on outside interface,
3. Add an static roots as
0.0.0.0 0.0.0.0 to ISP Gateway address X.X.X.X and Subnet
after that it seems everything is working fine,  
Thanks for your response,
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now