We help IT Professionals succeed at work.
Get Started

Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query

NobsVuba
NobsVuba asked
on
5,218 Views
Last Modified: 2012-08-21
Our Cisco ASA firewall was working just fine  but now we cant access the internet...

Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query
Inbound TCP connection denied from 10.0.1.x/58933 to 41.203.x.x/80 FLAGS SYN on interface outside..

Here is the config
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name elundini.co.za
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.100 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 196.25.145.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SAST 2
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 196.43.1.11
 name-server 10.0.1.2
 name-server 10.0.1.5
 domain-name elundini.co.za
object-group service DM_INLINE_UDP_1 udp
 port-object eq dnsix
 port-object eq domain
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq https
access-list outside_in extended permit udp any any eq www
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp
access-list outside_in extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_in extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0 inactive
access-list outside_in extended permit tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit tcp any any eq 3389
access-list outside_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list outside_in extended permit tcp any any eq 30566
access-list outside_in extended permit tcp any any eq domain
access-list outside_in extended deny tcp any host 41.203.18.57 eq smtp
access-list outside_in extended deny tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit udp any any eq dnsix
access-list outside_in extended permit ip any any
access-list inside_in extended permit tcp any any
access-list inside_in extended permit tcp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.10.0 255.255.255.128
access-list ElundiniVPN_split-tunnelAcl extended permit ip 10.0.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ELMRemote 192.168.10.5-192.168.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 30566 10.0.1.253 30566 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.25.145.57 1
route inside 192.6.11.0 255.255.255.0 10.0.1.254 1
route inside 192.6.12.0 255.255.255.0 10.0.1.254 1
route inside 192.6.13.0 255.255.255.0 10.0.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 10.0.1.2 interface inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ElundiniVPN internal
group-policy ElundiniVPN attributes
 wins-server value 10.0.1.2
 dns-server value 196.43.1.11 10.0.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ElundiniVPN_split-tunnelAcl
 default-domain value elundini.gov.za
username nobsvpn password bCKbXonmoQ2dCHZj encrypted privilege 0
username nobsvpn attributes
 vpn-group-policy ElundiniVPN
username nosiphelo password /iWGVY8lKf/5GfEG encrypted
username nosiphelo attributes
 service-type remote-access
username nonkuselos password 7dJowSjKehEGobfu encrypted
username nonkuselos attributes
 service-type remote-access
username gugut password OXMDG7YE498526dO encrypted
username sandilem password 6C3ByFzg5gyXSYaQ encrypted
username sandilem attributes
 service-type remote-access
username sandilef password jVejcyWm3GMHYokl encrypted
username sandilef attributes
 service-type remote-access
username funekam password dmB3Yp1o.YEbl5rE encrypted
username funekam attributes
 service-type remote-access
username khayag password 1nF0sM4IkubWbyUc encrypted
username khayag attributes
 service-type admin
username lindam password BY7wOZPCd5EReOYd encrypted
username lindam attributes
 service-type remote-access
username tamie password .iwxIxpbybjg8K/4 encrypted
username tamie attributes
 service-type remote-access
username Pellozie password EaNa4edyLnx4.X/X encrypted
username Pellozie attributes
 service-type remote-access
username support password pKRoFmjrFCg25Fj9 encrypted
username vpnuser password CsQTPU4apf7BtSoe encrypted
username bukelwad password z9YVN8b8fAGMIZUW encrypted
username bukelwad attributes
 service-type remote-access
username nvuba password NqDtRSmB.o/TC7U6 encrypted privilege 15
username luyandar password h0DjKF0ZRIpUq.zc encrypted
username luyandar attributes
 service-type remote-access
username ntsikie password Fl/QVLjOXFpXAvdo encrypted
username ntsikie attributes
 service-type remote-access
username cisco password /UjAtDCQKBMK5MtL encrypted privilege 15
username chulezaq password EwXGksO0k2SAdfUI encrypted
username chulezaq attributes
 service-type remote-access
username sheldon password K4NPX8zeGeo9r3/8 encrypted
username sheldon attributes
 service-type remote-access
username zukiem password 0Du7x41tv676anZp encrypted
username zukiem attributes
 service-type remote-access
tunnel-group BranchVPN type remote-access
tunnel-group ElundiniVPN type remote-access
tunnel-group ElundiniVPN general-attributes
 address-pool ELMRemote
 default-group-policy ElundiniVPN
tunnel-group ElundiniVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
 class class-default
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9218002d5864de6c021e46a8350c8306
: end
Comment
Watch Question
Senior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
This problem has been solved!
Unlock 1 Answer and 67 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE