Hi folks,
I'm trying to transition from a Watchguard, that is working fine except very slow for some reason with throughput, to this new ASA.
I've been getting this firewall up and running. I have it running so folks on the primary subnet inside can connect to the internet and those hosts from the outside can connect to our webserver. Also, inside hosts can connect to the dmz.
My main problem right now is other subnets on the inside cannot connect: they get a Deny inbound UDP from 10.10.1.12/53 to 10.10.10.13/1059 due to DNS response.
So the topology is this:
inside subnet is 10.10.1.0/24, and the inside interface shares an ip address on this subnet.
I have a cisco 3550 route-able switch that other subnets and networks connect to, using the 10.10.1.1 port as a gateway on that switch - which is plugged into another switch on that subnet.
The 10.10.10.13 in the above deny statement is a gateway for that subnet on another inside router.
The DNS server is 10.10.1.12 255.255.255.0, the same subnet.
I have static routes: route inside 192.168.10.0 255.255.255.0 10.10.1.1 route inside 10.10.3.0 255.255.255.0 10.10.1.1 route inside 10.10.5.0 255.255.255.0 10.10.1.1 ..etc. route inside 10.10.10.0 255.255.255.0 10.10.1.1
I've also got the nat working from inside to outside fine.
I so far have no ACL's on the inside interface.
Everything works with the Watchguard, which I must keep using until this gets solved, but it is possible I have some DNS thing misconfigured as I'm pretty much a newb at this. Not a full time job (well it is, but I have many other duties that steal time).
So, that deny statement above suggests the inside interface is getting DNS packets and sending (denying) them back through the inside interface?
Do I need to make access lists for the inside interface, and then if so does that mean I have to make access lists for inside going outside and going dmz as well? Or is there something else easier I am missing?
Thanks for looking, cheers, Jim