1. Home
  2. Cisco Systems
  3. ASA5510 - selectively blocking icmp and DNS

ASA5510 - selectively blocking icmp and DNS

Trying to replace old firewall with shiny new ASA 5510.

When I put the ASA into production, the subnet x.x.1.0 that is on the inside interface (3-port ASA) works fine. We have an inside DNS server x.x.1.21 that all hosts look to.

There are no access lists on the inside interface of ASA yet. I have added "inspect icmp" and "inspect icmp-error" into its policy-map prior to all of this which seems to allow icmp now mostly.

I have several other subnets that are routed into the x.x.1.0 subnet via a Cisco 3550 router/switch. They have problems connecting to http with the ASA. My last test I went over to the x.x.5.0 subnet department after installing the ASA. One host worked fine, the other (of two hosts) did not. (Some other departments don't work at all).

From the x.x.5.0 subnet: I can ping on the x.x.1.0 network with the trouble hosts on other subnets - just can't ping the one server x.x.1.21. In other words, when on a trouble host pc on subnet x.x.5.101, I can ping x.x.1.26 (cisco firewall inside interface), x.x.2.26 (another subnet), and x.x.1.1, the router/switch port that connects the x.x.5.0 subnet with x.x.1.0. - but not the one server x.x.1.21.

The other host on the x.x.5.0 can ping everything and get DNS requests. Works fine. Other subnets (x.x.10.0, 192.168.x.0) that have more segments behind them with routers get DNS blocked so have no connectivity to internet from any hosts on them.

Here's some deny statements from the ASA

Deny inbound UDP from x.x.1.21/137 to x.x.5.101/137 on interface inside

Deny inbound UDP from x.x.1.21/53 to x.x.5.101/1031 due to DNS Response

Deny inbound icmp src inside:x.x.1.21 dst inside:x.x.5.101 (type 0, code 0)

And some success by pinging the inside interface of ASA from same host:

Built ICMP connection for faddr x.x.5.101/512 gaddr x.x.1.26/0 laddr x.x.1.26/0

And successful DNS from the DNS server to outside hosts:

Built outbound UDP connection 16905 for external:209.x.x.x/53 (209.x.x.x/53) to inside:x.x.1.21/4838 (65.x.x.20/1031)

So I have exhausted my knowledge and am hoping for suggestions. Thanks for reading and any help.

cheers, JD

Reply to
Jim D.
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.