ASA5510: inside DNS server getting denied - new 3 port installation

Hi folks,

I'm trying to transition from a Watchguard, that is working fine except very slow for some reason with throughput, to this new ASA.

I've been getting this firewall up and running. I have it running so folks on the primary subnet inside can connect to the internet and those hosts from the outside can connect to our webserver. Also, inside hosts can connect to the dmz.

My main problem right now is other subnets on the inside cannot connect: they get a Deny inbound UDP from to due to DNS response.

So the topology is this:

inside subnet is, and the inside interface shares an ip address on this subnet.

I have a cisco 3550 route-able switch that other subnets and networks connect to, using the port as a gateway on that switch - which is plugged into another switch on that subnet.

The in the above deny statement is a gateway for that subnet on another inside router.

The DNS server is, the same subnet.

I have static routes: route inside route inside route inside ..etc. route inside

I've also got the nat working from inside to outside fine.

I so far have no ACL's on the inside interface.

Everything works with the Watchguard, which I must keep using until this gets solved, but it is possible I have some DNS thing misconfigured as I'm pretty much a newb at this. Not a full time job (well it is, but I have many other duties that steal time).

So, that deny statement above suggests the inside interface is getting DNS packets and sending (denying) them back through the inside interface?

Do I need to make access lists for the inside interface, and then if so does that mean I have to make access lists for inside going outside and going dmz as well? Or is there something else easier I am missing?

Thanks for looking, cheers, Jim

Reply to
Jim D.
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.