Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query

Our Cisco ASA firewall was working just fine  but now we cant access the internet...

Cisco ASA 5505 : Deny inbound UDP from 10.0.1.x/64752 to 41.203.18.x/53 due to dns query
Inbound TCP connection denied from 10.0.1.x/58933 to 41.203.x.x/80 FLAGS SYN on interface outside..

Here is the config
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name elundini.co.za
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.100 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 196.25.145.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SAST 2
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 196.43.1.11
 name-server 10.0.1.2
 name-server 10.0.1.5
 domain-name elundini.co.za
object-group service DM_INLINE_UDP_1 udp
 port-object eq dnsix
 port-object eq domain
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq https
access-list outside_in extended permit udp any any eq www
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp
access-list outside_in extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_in extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0 inactive
access-list outside_in extended permit tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit tcp any any eq 3389
access-list outside_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list outside_in extended permit tcp any any eq 30566
access-list outside_in extended permit tcp any any eq domain
access-list outside_in extended deny tcp any host 41.203.18.57 eq smtp
access-list outside_in extended deny tcp any host 41.203.18.57 eq pop3
access-list outside_in extended permit udp any any eq dnsix
access-list outside_in extended permit ip any any
access-list inside_in extended permit tcp any any
access-list inside_in extended permit tcp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit udp 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_in extended permit tcp 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.12.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.13.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.6.11.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.6.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit icmp any any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.10.0 255.255.255.128
access-list ElundiniVPN_split-tunnelAcl extended permit ip 10.0.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ELMRemote 192.168.10.5-192.168.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 30566 10.0.1.253 30566 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.25.145.57 1
route inside 192.6.11.0 255.255.255.0 10.0.1.254 1
route inside 192.6.12.0 255.255.255.0 10.0.1.254 1
route inside 192.6.13.0 255.255.255.0 10.0.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 10.0.1.2 interface inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ElundiniVPN internal
group-policy ElundiniVPN attributes
 wins-server value 10.0.1.2
 dns-server value 196.43.1.11 10.0.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ElundiniVPN_split-tunnelAcl
 default-domain value elundini.gov.za
username nobsvpn password bCKbXonmoQ2dCHZj encrypted privilege 0
username nobsvpn attributes
 vpn-group-policy ElundiniVPN
username nosiphelo password /iWGVY8lKf/5GfEG encrypted
username nosiphelo attributes
 service-type remote-access
username nonkuselos password 7dJowSjKehEGobfu encrypted
username nonkuselos attributes
 service-type remote-access
username gugut password OXMDG7YE498526dO encrypted
username sandilem password 6C3ByFzg5gyXSYaQ encrypted
username sandilem attributes
 service-type remote-access
username sandilef password jVejcyWm3GMHYokl encrypted
username sandilef attributes
 service-type remote-access
username funekam password dmB3Yp1o.YEbl5rE encrypted
username funekam attributes
 service-type remote-access
username khayag password 1nF0sM4IkubWbyUc encrypted
username khayag attributes
 service-type admin
username lindam password BY7wOZPCd5EReOYd encrypted
username lindam attributes
 service-type remote-access
username tamie password .iwxIxpbybjg8K/4 encrypted
username tamie attributes
 service-type remote-access
username Pellozie password EaNa4edyLnx4.X/X encrypted
username Pellozie attributes
 service-type remote-access
username support password pKRoFmjrFCg25Fj9 encrypted
username vpnuser password CsQTPU4apf7BtSoe encrypted
username bukelwad password z9YVN8b8fAGMIZUW encrypted
username bukelwad attributes
 service-type remote-access
username nvuba password NqDtRSmB.o/TC7U6 encrypted privilege 15
username luyandar password h0DjKF0ZRIpUq.zc encrypted
username luyandar attributes
 service-type remote-access
username ntsikie password Fl/QVLjOXFpXAvdo encrypted
username ntsikie attributes
 service-type remote-access
username cisco password /UjAtDCQKBMK5MtL encrypted privilege 15
username chulezaq password EwXGksO0k2SAdfUI encrypted
username chulezaq attributes
 service-type remote-access
username sheldon password K4NPX8zeGeo9r3/8 encrypted
username sheldon attributes
 service-type remote-access
username zukiem password 0Du7x41tv676anZp encrypted
username zukiem attributes
 service-type remote-access
tunnel-group BranchVPN type remote-access
tunnel-group ElundiniVPN type remote-access
tunnel-group ElundiniVPN general-attributes
 address-pool ELMRemote
 default-group-policy ElundiniVPN
tunnel-group ElundiniVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
 class class-default
  set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9218002d5864de6c021e46a8350c8306
: end
NobsVubaAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
Seen it :-~

Can you get your hands on the configuration of that LAN switch (if any)?

You could do it this way if you set up VLANning correctly to keep LAN and WAN traffic separated (I use something similar). But I don't think that is the case here.....

For now I would let them plug router1 directly in to the outside interface of the ASA (marked ethernet0/0) and keep the inside interface of the ASA (mArked ethernet 0/5) as is. My gues is there's no VLANning setup. If that's the case the formentioned replugging should improve things a lot already.
0
 
Ernie BeekExpertCommented:
I have added zones Cisco PIX Firewall and DNS to attract some extra attention.

So, were there any changes made recently? What happens if you open up the inside, so no access list or a permit ip any any at the end?
0
 
NobsVubaAuthor Commented:
Just found out now, the IP address of the internal interface was changed, they were playing around and they changed it, I managed to change it back

From the firewall i can ping all the sites and the success rate is 100 % what could cause these error messages.

@ erniebeek , What happens if you open up the inside, so no access list or a permit ip any any at the end?  What does that mean remove all access list
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
NobsVubaAuthor Commented:
just to add , 2      Aug 16 2012      09:09:09      106007      10.0.1.5      53793      DNS      
      Deny inbound UDP from 10.0.1.5/53793 to 196.43.1.11/53 due to DNS Query
10.0.1.5 - internal name server
196.43.1.11 - our SP's name server
0
 
Ernie BeekExpertCommented:
Discard that remark, you already have that (was looking at the wrong access list).

Let me have a closer look.......
0
 
Ernie BeekExpertCommented:
What you could try is:

no access-group inside_access_in in interface inside
policy-map global_policy
 class inspection_default
 no inspect dns preset_dns_map
clear xlate


And see if that helps.
0
 
NobsVubaAuthor Commented:
Error: DNS policy-map present_dns_map not configured
0
 
Ernie BeekExpertCommented:
Looks like a typo:

present_dns_map should be:  preset_dns_map
0
 
NobsVubaAuthor Commented:
Done,  have saved the configuration
0
 
NobsVubaAuthor Commented:
still nothing,  i have attached syslog screen dump
firewall.docx
0
 
Ernie BeekExpertCommented:
Right,

Could you post the results of the show route command?
0
 
NobsVubaAuthor Commented:
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 196.25.145.57 to network 0.0.0.0

C    196.25.145.56 255.255.255.248 is directly connected, outside
S    192.6.12.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S    192.6.13.0 255.255.255.0 [1/0] via 10.0.1.254, inside
S    192.6.11.0 255.255.255.0 [1/0] via 10.0.1.254, inside
C    10.0.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 196.25.145.57, outside
0
 
Ernie BeekExpertCommented:
Looks ok.

You said they played around with the ASA, any chance they made more changes?
For example, I see:
access-list outside_in extended permit tcp any host 41.203.18.57 eq smtp But that public isn't in your range.....
0
 
NobsVubaAuthor Commented:
thats for their pop3 connector ISP ip address,
0
 
NobsVubaAuthor Commented:
They deleted the nameserver 10.0.1.2, which is the internal DNS  and added 10.0.1.5. Thats the only thing they claim they did
0
 
NobsVubaAuthor Commented:
Not sure if expert exchange allows it. but i can let you have a look maybe am missing something,,, My head is spinning because the config looks fine on my side...unless i am really missing something
0
 
Ernie BeekExpertCommented:
Same here, something's odd but what.

What would you suggest (have a look)?
0
 
NobsVubaAuthor Commented:
yes, send me your email. Rather you have a look.
0
 
NobsVubaAuthor Commented:
And also am puzzled as to why is the external interface dropping packets..... from outside
Deny TCP (no connection) from 196.25.134.162/7954 to 196.25.145.58/30566 flags RST ACK  on interface outside
0
 
Ernie BeekExpertCommented:
Looks like there's something reset in the connection and therefor denied.

Let's see I think I am allowed to give you this address: erniebeek at e-e dot com
Can't promise I'm able to have a look directly though.
0
 
NobsVubaAuthor Commented:
sent
0
 
Ernie BeekExpertCommented:
Got it.
I'll try to have a look later on.
0
 
Ernie BeekExpertCommented:
Just a quick question, if you change the DNS setting on a workstation to 8.8.8.8 (google nameserver), are you able to browse the internet?
0
 
NobsVubaAuthor Commented:
you mean  8.8.8.8 ?
0
 
Ernie BeekExpertCommented:
Yes.
0
 
NobsVubaAuthor Commented:
will give it a try...
0
 
NobsVubaAuthor Commented:
nothing still,
0
 
Ernie BeekExpertCommented:
Weird, didn't even see a request going out to 8.8.8.8

I would like to try something, if you're ok with that. I would like to remove the DNS settings from the ASA itself and see what happens.
0
 
NobsVubaAuthor Commented:
go ahead, i asked someone to try it, so i really hope they tried it. am 4 hours away from that site.
0
 
Ernie BeekExpertCommented:
Oops, ah well .za is a bit bigger than .nl ;)

I'll have another look.
0
 
NobsVubaAuthor Commented:
i made changes and this is what i get  now..      443      TCP access denied by ACL from 41.2.159.235/63288 to inside:196.25.145.x/443
0
 
NobsVubaAuthor Commented:
6      Aug 20 2012      06:03:36      106015      10.0.1.253      30566      41.2.8.123      7783      Deny TCP (no connection) from 10.0.1.253/30566 to 41.2.8.123/7783 flags SYN ACK  on interface outside
0
 
Ernie BeekExpertCommented:
Haven't had the chance to write  down my findings yet (bit busy) but I'll get back to you as soon as I can.
0
 
NobsVubaAuthor Commented:
when i test i get a packet drop by implicit rule, but why would it complain about an implicit rule for the outside interface,  because there is a defined rule that permits all traffic
0
 
Ernie BeekExpertCommented:
because there is a defined rule that permits all traffic
I see you fixed that allready. As you might have noticed an access list named inside in was linked to the outside interface, making things a bit confusing :-~

The permit all rule on the outside was inactive (and of course during normal operation you wouldn't want such a rule).

I was a bit reluctant to try the: same-security-traffic permit intra interface though I came across some similar issues in an older version that were solved using that.

One other thing is that we might want to take a broader look at things (not just solely at the firewall). At first I had the idea the ASA was connected the wrong way round (outside interface to the inside and v.v.) because I was seeing connections on the outside interface coming from inside addresses.
Of course I don't have a complete overview on how things are connected I can't say anything about that at the moment. But when I see things like:
Build inbound TCP connection 42526 for outside:10.0.1.146/56692 (10.0.1.146/56692) to outside:157.56.52.33/80 (157.56.52.33/80) I get the distinct feeling you might want to check the way the ASA is connected to the LAN and WAN.
0
 
NobsVubaAuthor Commented:
calling them now, i noticed the same thing as you...
0
 
Ernie BeekExpertCommented:
Curiousely awaiting :)
0
 
NobsVubaAuthor Commented:
They have a system administrator that loves to fiddle . am waiting for them...
0
 
Ernie BeekExpertCommented:
Oh? So their admin loves to fiddle and you can clean up after him?

:-(
0
 
NobsVubaAuthor Commented:
Yep he does,  and just found out as well that the ASA both interfaces have been plugged to the internal switch. Am totally confused because from outside as you have seen we can get onto the firewall.... but traffic get to the firewall and drops

Just trying to contact their ISP now...
0
 
Ernie BeekExpertCommented:
VLANs on the switch perhaps? Both the LAN and WAN VLAN trunked on one port?

This is, how can I put this nicely, NOT good (but you know that as well).

Perhaps replacement of some parts (switch, firewall, admin ;)
0
 
NobsVubaAuthor Commented:
What effects would be if an IP address of the internal interface of the ASA was changed
0
 
Ernie BeekExpertCommented:
The default gateway on the machines on the network should be changed then (especially for static set IP addresses like servers). For DHCP provided machine a renew would do.

And don't forget the routes on the 10.0.1.254.
0
 
NobsVubaAuthor Commented:
can you have a look again, just sent you email.... i want you to verify the config, will explain how the connection occurs, i have allocated this point to you, you have gone out of your way to help me.
0
 
Ernie BeekExpertCommented:
The pleasure is all mine :)
(No email received yet..........)

The configuration is workable, though we will have to get rid of some permit any any statements.
For now, the main issue is that traffic from the inside is trying to enter the ASA at the outside interface (due to faulty plugging) so this should be fixed first. After that we can clean up the config.

So ethernet0/0 (the outside) should directly go to the ISP modem/router and not to the LAN switch. And ethernet 0/5 (the one that is connected now) should go/stay onto the LAN switch. We should also check the configuration on the ASA connected port on the LAN switch because it seems its now carrying LAN and WAN traffic at the sdame time.
0
 
NobsVubaAuthor Commented:
sent,  thats cool, I just sent you a rough sketch of ther overview, and yes the ASA is connected to the LAN switch....its a mess. See for yourself
0
 
NobsVubaAuthor Commented:
have plugged the firewall to the router,  and there's connectivity. Take a look
0
 
NobsVubaAuthor Commented:
its looking better...
0
 
NobsVubaAuthor Commented:
i can remote desktop in
0
 
NobsVubaAuthor Commented:
its working
0
 
NobsVubaAuthor Commented:
you 're my hero. Keep doing the good work
0
 
Ernie BeekExpertCommented:
Glad I could help, I always love a nice challenge :)

You might want to review the config though, most rules are not needed or could use some tweaking. And check the config of the switch, just to be sure.
Also, don't forget to change the password ;)
0
 
NobsVubaAuthor Commented:
will do
0
 
Ernie BeekExpertCommented:
Allright, let me know if you have other interesting challenges :)

Good luck,

Ernie
0
 
NobsVubaAuthor Commented:
will do.... am having a meeting with his boss, incompetent people must be fired. Oops. Will do.
0
 
Ernie BeekExpertCommented:
Hehehehe, personally I was thinking tarred and feathered.

Ooops ;)
0
 
NobsVubaAuthor Commented:
hahahahaha. very funny
0
 
Ernie BeekExpertCommented:
Got your mail, I'll try to have a look later on, otherwise tomorrow.
0
 
Ernie BeekExpertCommented:
I see you already changed the password?
Good! But I can't clean up right now ;)
0
 
NobsVubaAuthor Commented:
will email you the stuff,,,,
0
 
Ernie BeekExpertCommented:
Thx, got it.
0
 
NobsVubaAuthor Commented:
check email
0
 
Ernie BeekExpertCommented:
Ok, looking better now :)

Check it out, I haven't saved the config yet so you can easily roll back if you want.

You might want to limit:
ssh 0.0.0.0 0.0.0.0 outside
and
http 0.0.0.0 0.0.0.0 outside
To allow only certain public IP's (like yours) to manage the ASA from the outside.
0
 
NobsVubaAuthor Commented:
Am looking at it.
0
 
NobsVubaAuthor Commented:
Its pretty neat, what rule controls www, https. A bit confused but will have a look when at the office.
0
 
Ernie BeekExpertCommented:
You mean inside->out or outside->in ?

From the inside to the outside all is allowed. If you want to allow www and https access to an internal server you'll need to define a static and an access rule. Before you didn't have statics for that so I removed those lines from the access list. It might have worked because the ASA was wide open :-~
Of course that can be adjusted, just let me know what you need.
0
 
NobsVubaAuthor Commented:
cool
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.