Cisco ASA blocking traffic from DNS server

cisco-asawindows-server-2008-r2

I have a client who has a Cisco ASA 5505 device. I am not familiar with these devices at all.

The client has a problem where it allows outbound from traffic from an old DNS server (10.236.72.100), but not from a new DNS server (10.236.72.3).

I currently have a forwarding setup on the new server to forward DNS queries to the old server.

Old server = Windows Server 2003
New server = Windows Server 2008 R2

As far as I can tell, the issue lies with the Cisco device. Can someone please help?

Best Answer

Your old DNS server is probably forwarding requests to one of the DNS servers in the dns_servers object group and being allowed by this line

access-list inside_access_in extended permit object-group TCPUDP any object-group dns_servers eq domain

Your new server is probably acting as a recursive DNS server and trying to send requests directly to the root nameservers, TLD servers, etc. If you want your new server to behave like the old one, forward its requests to one of the servers in this object group.

object-group network dns_servers
 network-object host 10.1.224.10
 network-object host 10.2.191.51

If you want your new DNS server to work as a recursive server, add this line to your ASA configuration:

access-list inside_access_in extended permit object-group TCPUDP host 10.236.72.3 any eq domain

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
Enable PPTP inspection
- Explicit ACL permit for GRE is not necessary

If client is behind ASA

Enable PPTP inspection

Server example

ASA outside interface IP 1.1.1.2/30
Server inside IP 10.0.0.10/24
Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.

Best Answer

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

Related Topic