NobsVuba
asked on
Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query
Our Cisco ASA firewall was working just fine but now we cant access the internet...
Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query
Inbound TCP connection denied from 10.0.1.x/58933 to 41.203.x.x/80 FLAGS SYN on interface outside..
Here is the config
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name elundini.co.za
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 196.25.145.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SAST 2
dns domain-lookup outside
dns server-group DefaultDNS
name-server 196.43.1.11
name-server 10.0.1.2
name-server 10.0.1.5
domain-name elundini.co.za
object-group service DM_INLINE_UDP_1 udp
port-object eq dnsix
port-object eq domain
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq https
access-list outside_in extended permit udp any any eq www
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp
access-list outside_in extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_in extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0 inactive
access-list outside_in extended permit tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit tcp any any eq 3389
access-list outside_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list outside_in extended permit tcp any any eq 30566
access-list outside_in extended permit tcp any any eq domain
access-list outside_in extended deny tcp any host 41.203.18.57 eq smtp
access-list outside_in extended deny tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit udp any any eq dnsix
access-list outside_in extended permit ip any any
access-list inside_in extended permit tcp any any
access-list inside_in extended permit tcp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.10.0 255.255.255.128
access-list ElundiniVPN_split-tunnelAc l extended permit ip 10.0.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ELMRemote 192.168.10.5-192.168.10.10 0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 30566 10.0.1.253 30566 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.25.145.57 1
route inside 192.6.11.0 255.255.255.0 10.0.1.254 1
route inside 192.6.12.0 255.255.255.0 10.0.1.254 1
route inside 192.6.13.0 255.255.255.0 10.0.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 10.0.1.2 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ElundiniVPN internal
group-policy ElundiniVPN attributes
wins-server value 10.0.1.2
dns-server value 196.43.1.11 10.0.1.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ElundiniVPN_split-tunnelAc l
default-domain value elundini.gov.za
username nobsvpn password bCKbXonmoQ2dCHZj encrypted privilege 0
username nobsvpn attributes
vpn-group-policy ElundiniVPN
username nosiphelo password /iWGVY8lKf/5GfEG encrypted
username nosiphelo attributes
service-type remote-access
username nonkuselos password 7dJowSjKehEGobfu encrypted
username nonkuselos attributes
service-type remote-access
username gugut password OXMDG7YE498526dO encrypted
username sandilem password 6C3ByFzg5gyXSYaQ encrypted
username sandilem attributes
service-type remote-access
username sandilef password jVejcyWm3GMHYokl encrypted
username sandilef attributes
service-type remote-access
username funekam password dmB3Yp1o.YEbl5rE encrypted
username funekam attributes
service-type remote-access
username khayag password 1nF0sM4IkubWbyUc encrypted
username khayag attributes
service-type admin
username lindam password BY7wOZPCd5EReOYd encrypted
username lindam attributes
service-type remote-access
username tamie password .iwxIxpbybjg8K/4 encrypted
username tamie attributes
service-type remote-access
username Pellozie password EaNa4edyLnx4.X/X encrypted
username Pellozie attributes
service-type remote-access
username support password pKRoFmjrFCg25Fj9 encrypted
username vpnuser password CsQTPU4apf7BtSoe encrypted
username bukelwad password z9YVN8b8fAGMIZUW encrypted
username bukelwad attributes
service-type remote-access
username nvuba password NqDtRSmB.o/TC7U6 encrypted privilege 15
username luyandar password h0DjKF0ZRIpUq.zc encrypted
username luyandar attributes
service-type remote-access
username ntsikie password Fl/QVLjOXFpXAvdo encrypted
username ntsikie attributes
service-type remote-access
username cisco password /UjAtDCQKBMK5MtL encrypted privilege 15
username chulezaq password EwXGksO0k2SAdfUI encrypted
username chulezaq attributes
service-type remote-access
username sheldon password K4NPX8zeGeo9r3/8 encrypted
username sheldon attributes
service-type remote-access
username zukiem password 0Du7x41tv676anZp encrypted
username zukiem attributes
service-type remote-access
tunnel-group BranchVPN type remote-access
tunnel-group ElundiniVPN type remote-access
tunnel-group ElundiniVPN general-attributes
address-pool ELMRemote
default-group-policy ElundiniVPN
tunnel-group ElundiniVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9218002d586 4de6c021e4 6a8350c830 6
: end
Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query
Inbound TCP connection denied from 10.0.1.x/58933 to 41.203.x.x/80 FLAGS SYN on interface outside..
Here is the config
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name elundini.co.za
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 196.25.145.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SAST 2
dns domain-lookup outside
dns server-group DefaultDNS
name-server 196.43.1.11
name-server 10.0.1.2
name-server 10.0.1.5
domain-name elundini.co.za
object-group service DM_INLINE_UDP_1 udp
port-object eq dnsix
port-object eq domain
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq https
access-list outside_in extended permit udp any any eq www
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp
access-list outside_in extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_in extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0 inactive
access-list outside_in extended permit tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit tcp any any eq 3389
access-list outside_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list outside_in extended permit tcp any any eq 30566
access-list outside_in extended permit tcp any any eq domain
access-list outside_in extended deny tcp any host 41.203.18.57 eq smtp
access-list outside_in extended deny tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit udp any any eq dnsix
access-list outside_in extended permit ip any any
access-list inside_in extended permit tcp any any
access-list inside_in extended permit tcp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.10.0 255.255.255.128
access-list ElundiniVPN_split-tunnelAc
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ELMRemote 192.168.10.5-192.168.10.10
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 30566 10.0.1.253 30566 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.25.145.57 1
route inside 192.6.11.0 255.255.255.0 10.0.1.254 1
route inside 192.6.12.0 255.255.255.0 10.0.1.254 1
route inside 192.6.13.0 255.255.255.0 10.0.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 10.0.1.2 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ElundiniVPN internal
group-policy ElundiniVPN attributes
wins-server value 10.0.1.2
dns-server value 196.43.1.11 10.0.1.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ElundiniVPN_split-tunnelAc
default-domain value elundini.gov.za
username nobsvpn password bCKbXonmoQ2dCHZj encrypted privilege 0
username nobsvpn attributes
vpn-group-policy ElundiniVPN
username nosiphelo password /iWGVY8lKf/5GfEG encrypted
username nosiphelo attributes
service-type remote-access
username nonkuselos password 7dJowSjKehEGobfu encrypted
username nonkuselos attributes
service-type remote-access
username gugut password OXMDG7YE498526dO encrypted
username sandilem password 6C3ByFzg5gyXSYaQ encrypted
username sandilem attributes
service-type remote-access
username sandilef password jVejcyWm3GMHYokl encrypted
username sandilef attributes
service-type remote-access
username funekam password dmB3Yp1o.YEbl5rE encrypted
username funekam attributes
service-type remote-access
username khayag password 1nF0sM4IkubWbyUc encrypted
username khayag attributes
service-type admin
username lindam password BY7wOZPCd5EReOYd encrypted
username lindam attributes
service-type remote-access
username tamie password .iwxIxpbybjg8K/4 encrypted
username tamie attributes
service-type remote-access
username Pellozie password EaNa4edyLnx4.X/X encrypted
username Pellozie attributes
service-type remote-access
username support password pKRoFmjrFCg25Fj9 encrypted
username vpnuser password CsQTPU4apf7BtSoe encrypted
username bukelwad password z9YVN8b8fAGMIZUW encrypted
username bukelwad attributes
service-type remote-access
username nvuba password NqDtRSmB.o/TC7U6 encrypted privilege 15
username luyandar password h0DjKF0ZRIpUq.zc encrypted
username luyandar attributes
service-type remote-access
username ntsikie password Fl/QVLjOXFpXAvdo encrypted
username ntsikie attributes
service-type remote-access
username cisco password /UjAtDCQKBMK5MtL encrypted privilege 15
username chulezaq password EwXGksO0k2SAdfUI encrypted
username chulezaq attributes
service-type remote-access
username sheldon password K4NPX8zeGeo9r3/8 encrypted
username sheldon attributes
service-type remote-access
username zukiem password 0Du7x41tv676anZp encrypted
username zukiem attributes
service-type remote-access
tunnel-group BranchVPN type remote-access
tunnel-group ElundiniVPN type remote-access
tunnel-group ElundiniVPN general-attributes
address-pool ELMRemote
default-group-policy ElundiniVPN
tunnel-group ElundiniVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9218002d586
: end
ASKER
Just found out now, the IP address of the internal interface was changed, they were playing around and they changed it, I managed to change it back
From the firewall i can ping all the sites and the success rate is 100 % what could cause these error messages.
@ erniebeek , What happens if you open up the inside, so no access list or a permit ip any any at the end? What does that mean remove all access list
From the firewall i can ping all the sites and the success rate is 100 % what could cause these error messages.
@ erniebeek , What happens if you open up the inside, so no access list or a permit ip any any at the end? What does that mean remove all access list
ASKER
just to add , 2 Aug 16 2012 09:09:09 106007 10.0.1.5 53793 DNS
Deny inbound UDP from 10.0.1.5/53793 to 196.43.1.11/53 due to DNS Query
10.0.1.5 - internal name server
196.43.1.11 - our SP's name server
Deny inbound UDP from 10.0.1.5/53793 to 196.43.1.11/53 due to DNS Query
10.0.1.5 - internal name server
196.43.1.11 - our SP's name server
Discard that remark, you already have that (was looking at the wrong access list).
Let me have a closer look.......
Let me have a closer look.......
What you could try is:
no access-group inside_access_in in interface inside
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
clear xlate
And see if that helps.
no access-group inside_access_in in interface inside
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
clear xlate
And see if that helps.
ASKER
Error: DNS policy-map present_dns_map not configured
Looks like a typo:
present_dns_map should be: preset_dns_map
present_dns_map should be: preset_dns_map
ASKER
Done, have saved the configuration
ASKER
still nothing, i have attached syslog screen dump
firewall.docx
firewall.docx
Right,
Could you post the results of the show route command?
Could you post the results of the show route command?
ASKER
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 196.25.145.57 to network 0.0.0.0
C 196.25.145.56 255.255.255.248 is directly connected, outside
S 192.6.12.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S 192.6.13.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S 192.6.11.0 255.255.255.0 [1/0] via 10.0.1.254, inside
C 10.0.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 196.25.145.57, outside
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 196.25.145.57 to network 0.0.0.0
C 196.25.145.56 255.255.255.248 is directly connected, outside
S 192.6.12.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S 192.6.13.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S 192.6.11.0 255.255.255.0 [1/0] via 10.0.1.254, inside
C 10.0.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 196.25.145.57, outside
Looks ok.
You said they played around with the ASA, any chance they made more changes?
For example, I see:
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp But that public isn't in your range.....
You said they played around with the ASA, any chance they made more changes?
For example, I see:
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp But that public isn't in your range.....
ASKER
thats for their pop3 connector ISP ip address,
ASKER
They deleted the nameserver 10.0.1.2, which is the internal DNS and added 10.0.1.5. Thats the only thing they claim they did
ASKER
Not sure if expert exchange allows it. but i can let you have a look maybe am missing something,,, My head is spinning because the config looks fine on my side...unless i am really missing something
Same here, something's odd but what.
What would you suggest (have a look)?
What would you suggest (have a look)?
ASKER
yes, send me your email. Rather you have a look.
ASKER
And also am puzzled as to why is the external interface dropping packets..... from outside
Deny TCP (no connection) from 196.25.134.162/7954 to 196.25.145.58/30566 flags RST ACK on interface outside
Deny TCP (no connection) from 196.25.134.162/7954 to 196.25.145.58/30566 flags RST ACK on interface outside
Looks like there's something reset in the connection and therefor denied.
Let's see I think I am allowed to give you this address: erniebeek at e-e dot com
Can't promise I'm able to have a look directly though.
Let's see I think I am allowed to give you this address: erniebeek at e-e dot com
Can't promise I'm able to have a look directly though.
ASKER
sent
Got it.
I'll try to have a look later on.
I'll try to have a look later on.
Just a quick question, if you change the DNS setting on a workstation to 8.8.8.8 (google nameserver), are you able to browse the internet?
ASKER
you mean 8.8.8.8 ?
Yes.
ASKER
will give it a try...
ASKER
nothing still,
Weird, didn't even see a request going out to 8.8.8.8
I would like to try something, if you're ok with that. I would like to remove the DNS settings from the ASA itself and see what happens.
I would like to try something, if you're ok with that. I would like to remove the DNS settings from the ASA itself and see what happens.
ASKER
go ahead, i asked someone to try it, so i really hope they tried it. am 4 hours away from that site.
Oops, ah well .za is a bit bigger than .nl ;)
I'll have another look.
I'll have another look.
ASKER
i made changes and this is what i get now.. 443 TCP access denied by ACL from 41.2.159.235/63288 to inside:196.25.145.x/443
ASKER
6 Aug 20 2012 06:03:36 106015 10.0.1.253 30566 41.2.8.123 7783 Deny TCP (no connection) from 10.0.1.253/30566 to 41.2.8.123/7783 flags SYN ACK on interface outside
Haven't had the chance to write down my findings yet (bit busy) but I'll get back to you as soon as I can.
ASKER
when i test i get a packet drop by implicit rule, but why would it complain about an implicit rule for the outside interface, because there is a defined rule that permits all traffic
because there is a defined rule that permits all traffic
I see you fixed that allready. As you might have noticed an access list named inside in was linked to the outside interface, making things a bit confusing :-~
The permit all rule on the outside was inactive (and of course during normal operation you wouldn't want such a rule).
I was a bit reluctant to try the: same-security-traffic permit intra interface though I came across some similar issues in an older version that were solved using that.
One other thing is that we might want to take a broader look at things (not just solely at the firewall). At first I had the idea the ASA was connected the wrong way round (outside interface to the inside and v.v.) because I was seeing connections on the outside interface coming from inside addresses.
Of course I don't have a complete overview on how things are connected I can't say anything about that at the moment. But when I see things like:
Build inbound TCP connection 42526 for outside:10.0.1.146/56692 (10.0.1.146/56692) to outside:157.56.52.33/80 (157.56.52.33/80) I get the distinct feeling you might want to check the way the ASA is connected to the LAN and WAN.
I see you fixed that allready. As you might have noticed an access list named inside in was linked to the outside interface, making things a bit confusing :-~
The permit all rule on the outside was inactive (and of course during normal operation you wouldn't want such a rule).
I was a bit reluctant to try the: same-security-traffic permit intra interface though I came across some similar issues in an older version that were solved using that.
One other thing is that we might want to take a broader look at things (not just solely at the firewall). At first I had the idea the ASA was connected the wrong way round (outside interface to the inside and v.v.) because I was seeing connections on the outside interface coming from inside addresses.
Of course I don't have a complete overview on how things are connected I can't say anything about that at the moment. But when I see things like:
Build inbound TCP connection 42526 for outside:10.0.1.146/56692 (10.0.1.146/56692) to outside:157.56.52.33/80 (157.56.52.33/80) I get the distinct feeling you might want to check the way the ASA is connected to the LAN and WAN.
ASKER
calling them now, i noticed the same thing as you...
Curiousely awaiting :)
ASKER
They have a system administrator that loves to fiddle . am waiting for them...
Oh? So their admin loves to fiddle and you can clean up after him?
:-(
:-(
ASKER
Yep he does, and just found out as well that the ASA both interfaces have been plugged to the internal switch. Am totally confused because from outside as you have seen we can get onto the firewall.... but traffic get to the firewall and drops
Just trying to contact their ISP now...
Just trying to contact their ISP now...
VLANs on the switch perhaps? Both the LAN and WAN VLAN trunked on one port?
This is, how can I put this nicely, NOT good (but you know that as well).
Perhaps replacement of some parts (switch, firewall, admin ;)
This is, how can I put this nicely, NOT good (but you know that as well).
Perhaps replacement of some parts (switch, firewall, admin ;)
ASKER
What effects would be if an IP address of the internal interface of the ASA was changed
The default gateway on the machines on the network should be changed then (especially for static set IP addresses like servers). For DHCP provided machine a renew would do.
And don't forget the routes on the 10.0.1.254.
And don't forget the routes on the 10.0.1.254.
ASKER
can you have a look again, just sent you email.... i want you to verify the config, will explain how the connection occurs, i have allocated this point to you, you have gone out of your way to help me.
The pleasure is all mine :)
(No email received yet..........)
The configuration is workable, though we will have to get rid of some permit any any statements.
For now, the main issue is that traffic from the inside is trying to enter the ASA at the outside interface (due to faulty plugging) so this should be fixed first. After that we can clean up the config.
So ethernet0/0 (the outside) should directly go to the ISP modem/router and not to the LAN switch. And ethernet 0/5 (the one that is connected now) should go/stay onto the LAN switch. We should also check the configuration on the ASA connected port on the LAN switch because it seems its now carrying LAN and WAN traffic at the sdame time.
(No email received yet..........)
The configuration is workable, though we will have to get rid of some permit any any statements.
For now, the main issue is that traffic from the inside is trying to enter the ASA at the outside interface (due to faulty plugging) so this should be fixed first. After that we can clean up the config.
So ethernet0/0 (the outside) should directly go to the ISP modem/router and not to the LAN switch. And ethernet 0/5 (the one that is connected now) should go/stay onto the LAN switch. We should also check the configuration on the ASA connected port on the LAN switch because it seems its now carrying LAN and WAN traffic at the sdame time.
ASKER
sent, thats cool, I just sent you a rough sketch of ther overview, and yes the ASA is connected to the LAN switch....its a mess. See for yourself
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
have plugged the firewall to the router, and there's connectivity. Take a look
ASKER
its looking better...
ASKER
i can remote desktop in
ASKER
its working
ASKER
you 're my hero. Keep doing the good work
Glad I could help, I always love a nice challenge :)
You might want to review the config though, most rules are not needed or could use some tweaking. And check the config of the switch, just to be sure.
Also, don't forget to change the password ;)
You might want to review the config though, most rules are not needed or could use some tweaking. And check the config of the switch, just to be sure.
Also, don't forget to change the password ;)
ASKER
will do
Allright, let me know if you have other interesting challenges :)
Good luck,
Ernie
Good luck,
Ernie
ASKER
will do.... am having a meeting with his boss, incompetent people must be fired. Oops. Will do.
Hehehehe, personally I was thinking tarred and feathered.
Ooops ;)
Ooops ;)
ASKER
hahahahaha. very funny
Got your mail, I'll try to have a look later on, otherwise tomorrow.
I see you already changed the password?
Good! But I can't clean up right now ;)
Good! But I can't clean up right now ;)
ASKER
will email you the stuff,,,,
Thx, got it.
ASKER
check email
Ok, looking better now :)
Check it out, I haven't saved the config yet so you can easily roll back if you want.
You might want to limit:
ssh 0.0.0.0 0.0.0.0 outside
and
http 0.0.0.0 0.0.0.0 outside
To allow only certain public IP's (like yours) to manage the ASA from the outside.
Check it out, I haven't saved the config yet so you can easily roll back if you want.
You might want to limit:
ssh 0.0.0.0 0.0.0.0 outside
and
http 0.0.0.0 0.0.0.0 outside
To allow only certain public IP's (like yours) to manage the ASA from the outside.
ASKER
Am looking at it.
ASKER
Its pretty neat, what rule controls www, https. A bit confused but will have a look when at the office.
You mean inside->out or outside->in ?
From the inside to the outside all is allowed. If you want to allow www and https access to an internal server you'll need to define a static and an access rule. Before you didn't have statics for that so I removed those lines from the access list. It might have worked because the ASA was wide open :-~
Of course that can be adjusted, just let me know what you need.
From the inside to the outside all is allowed. If you want to allow www and https access to an internal server you'll need to define a static and an access rule. Before you didn't have statics for that so I removed those lines from the access list. It might have worked because the ASA was wide open :-~
Of course that can be adjusted, just let me know what you need.
ASKER
cool
So, were there any changes made recently? What happens if you open up the inside, so no access list or a permit ip any any at the end?