Cisco ASA dns and browsing

How are you applying the access list? I would expect something along the lines of "access-group acl_inbound in interface inside".

Of the items in the list the following is unnecessary, a rule higher up the list allows any / any: https.

access-list acl_inbound extended permit tcp any host A.B.0.209 eq https

You do nothing at all in the access list to grant DNS access, and while you think the problem may be DNS related you give no information at all about your DNS infrastructure.

Where, in your network infrastructure, are your DNS servers? If they're behind the same interface as this, are you using Root Hints or Forwarders? If they're not behind the same, why haven't you created a rule to allow DNS?

Chris

You do not allow any device to query a public DNS server.  You can limit it to the Active Directory servers if you are using a windows domains.

Thanks

I have a windows infrastructure and the DNS comes off my domain controller which points to the firewall. I will like to limit smtp to only the mail server via the FW.

@Chris  I have removed the A.B.0.209 eq https

Who do i have to do to achieve my need

These are the only access-list I have

access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
access-list acl_inbound extended deny tcp any any eq smtp
access-list acl_inbound extended permit ip any any

After applying the access group , I could browse alight but I could not send or receive external  mails . I could not access  OWA exterally as well

When i tried telnet smtp.gmail.com 25 from the mail server it failed to get a connection. After taking off the access-group I tried the smtp to google again was successful  (220 smtp.gmail.com ESMTP n13sm24298068wrn.40 - gsmtp
quit
221 2.0.0 closing connection n13sm24298068wrn.40 - gsmtp)

Sorry I didn't catch it earlier this access list is backwards
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp

it should be
access-list acl_inbound extended permit tcp  host A.B.0.209 any eq smtp

Source is first destination is any because it would be any email server

The way it is written it is saying any host can get to A.B.0.209 not A.B.0.209 can get to any host via smtp

For some weird reason im unable to access my OWA even after removing the access-group. I want to create an access list that will allow stmp to the natted IP of the internal mail server as well as allow browsing


access-list acl_out extended permit tcp any host X.Y.Z.132 eq smtp
access-group acl_out in interface inside

Will this suffice?

you really don't want to filter int he outbound direction it is not a common thing and gets very tricky.

the rule you wrote would break all traffic to the inside network from outside.  

The rule would be the access-list usually outside_access_in
on the outside interface it depends on the ASA version you are using what that would look like either it would be the internal NAT or external NAT IP address and the protocol.  You really do not want to try to filter inbound traffic from the outside on the inside interface.  I would also suggest to not use the out direction at all unless you are really sure of what you are doing.

pre-8.3 would be
 access-list outside_access_in extended permit any host EXTERNALIP eq smtp
 access-list outside_access_in extended permit any host EXTERNALIP eq https

Post 8.3
 access-list outside_access_in extended permit any host INTERNALIP eq smtp
 access-list outside_access_in extended permit any host INTERNALIP eq https

An email from internal to an external address just got delivered but no external -emails to internal yet

Is there any reason why external e-mails are not getting to my server now?

There is object network obj-A.B.0.209
 nat (inside,outside) static X.Y.Z.132

Hi Cheever000,
The external mails are not coming through. What can be wrong and how can i fix it

What does the outside access list show and what is the result of the show version

Software Version 8.4(4)1

no external access-list

you have to create an external access list, by default cisco traffic can go from higher to lower security level inside is usually 100 outside is 0

Traffic isnt' allowed from 0 to anything unless you allow it, the list I gave you above should function work with the post 8.3 one.  

access-group outside_access_in in in out

there are no external as you advised earlier. these are the list

access-list acl_inbound; 3 elements; name hash: 0x16f47df8
access-list acl_inbound line 1 extended permit tcp host A.B.0.209 any eq smtp
 (hitcnt=93) 0x9db29453
access-list acl_inbound line 2 extended deny tcp any any eq smtp (hitcnt=1171) 0
x6645d943
access-list acl_inbound line 3 extended permit ip any any (hitcnt=25575) 0x84731
45d

I just added
access-list outside_access_in extended permit tcp any host X.y.z.132 eq smtp
access-list outside_access_in extended permit tcp any host x.y.z.132 eq https
access-group outside_access_in in in out

but im getting zero hits

access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host x.y.z.132
 eq smtp (hitcnt=0) 0x295342dd
access-list outside_access_in line 2 extended permit tcp any host x.y.z.132
 eq https (hitcnt=0) 0x11b38e7c

sorry i used the external instead of internal. ALL is

The mails are flowing Now. Thanks Chervoo. I will award the points to you

My second part of the question was
ii)which settings do i need to prevent /block the use of external scanning tools on my external IPs or auto block scanning IP addresses without having to use shun manually

there are threat detection settings that can help, but they can get a bit out of hand as well.

Problem resolved