I am trying to configure a ASA 5510 with an ACL that has more control of outward flow.
the network is simple - 2811 for T1 connection to ISP. 2811 connects to ASA and for now we have 3 PC's hanging off ASA for testing.
Right now there are no ACL's applied to interfaces so everything is good in to out and vice versa!
I had tried to lock down the ASA box using an pretty detailed ACL going from INSIDE to OUT, and for simplicity just had a ACL on OUTSIDE coming IN as permit any any.
There are some remote app's that this customer needs to access, so the INSIDE_OUT ACL has some allowing those specific ports...
When I initially applied the INSIDE_OUT ACL togethter with the OUTSIDE_IN - everything appeared to work well... Users could access the remote apps
Trouble started when I tried to open IE and browse to www.cisco.com
The PC could not resolve to this address. But when i pasted in the IP address, it works fine.
I tried to change the PC's LAN settings to have the DNS be 184.108.40.206 (Public internet) but it made no difference.
I have pasted the config as it sits right now, i tried to play with the dns settings - so the config may be wrong.
Could someone help me with why the PC cannot resolve against the 220.127.116.11 when it can ping 18.104.22.168? and therefore what would be the correct config?
Going forward they would like to have their Domain Controller added to this test network. In that scenario, would there be additional configuration on the ASA that I would need to do?
note ** i did try and add dns entries to the ACL... so they may be wrong too.
Any help is seriously appreciated..
Note that I have taken off the ACL from the interface...
.ASA-5510-BR***# sh run
ASA Version 8.2(1)
enable password ********m encrypted
passwd ******** encrypted
ip address 22.214.171.124 255.255.255.128
ip address 192.168.2.11 255.255.255.0
no ip address
no ip address
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list INSIDE_OUT extended permit tcp any any eq 17149
access-list INSIDE_OUT extended permit udp any eq 551 any eq 551
access-list INSIDE_OUT extended permit tcp any any eq 9700
access-list INSIDE_OUT extended permit tcp any any eq 5940
access-list INSIDE_OUT extended permit tcp any any eq https
access-list INSIDE_OUT extended permit tcp any any eq 444
access-list INSIDE_OUT extended permit tcp any any eq ftp
access-list INSIDE_OUT extended permit tcp any any eq ftp-data
access-list INSIDE_OUT extended permit icmp any any echo
access-list INSIDE_OUT extended permit icmp any any echo-reply
access-list INSIDE_OUT extended permit tcp any any eq www
access-list INSIDE_OUT extended permit tcp any range 1025 65535 any eq 551
access-list INSIDE_OUT extended permit udp any eq domain any
access-list INSIDE_OUT extended permit tcp any eq domain any
pager lines 24
logging buffer-size 16384
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1
route inside 10.11.15.0 255.255.255.0 192.168.2.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 10
console timeout 10
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username vbuendia password ********** encrypted privilege 15
username administrator password *********** encrypted privilege 15
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect icmp error
service-policy global_policy global
prompt hostname context