3

I have a client who has a Cisco ASA 5505 device. I am not familiar with these devices at all.

The client has a problem where it allows outbound from traffic from an old DNS server (10.236.72.100), but not from a new DNS server (10.236.72.3).

I currently have a forwarding setup on the new server to forward DNS queries to the old server.

Old server = Windows Server 2003 New server = Windows Server 2008 R2

As far as I can tell, the issue lies with the Cisco device. Can someone please help?

Ash
  • 485
  • 9
  • 18
  • 28
  • Do you have access to the device? Can you provide its configuration? – Shane Madden May 21 '12 at 01:24
  • Yes I have administrative access to the device. What sort of configuration details are you after? – Ash May 21 '12 at 01:27
  • If it is blocking the traffic intentionally, the configuration is probably in an `access-list` - if the config was built on top of the default config, then the access list in question is probably named `inside-access-in`. But it might also be some kind of crazy NAT config, or a different access list (like an outbound one on the outside interface). If it's not too much effort, maybe provide the full configuration output from the `show running-config` command and remove any sensitive information from it? – Shane Madden May 21 '12 at 01:32
  • Thanks for your help. Here is the required config (I'm not sure if it would have pasted ok in this comment box).... http://db.tt/Ni31lmm2 – Ash May 21 '12 at 01:52
  • Just a suggestion, but you might want to remove any line with "password" or "passwd" in it. Cisco passwords can be decrypted fairly easily. – David May 21 '12 at 02:25

2 Answers2

2

Your old DNS server is probably forwarding requests to one of the DNS servers in the dns_servers object group and being allowed by this line 

access-list inside_access_in extended permit object-group TCPUDP any object-group dns_servers eq domain

Your new server is probably acting as a recursive DNS server and trying to send requests directly to the root nameservers, TLD servers, etc. If you want your new server to behave like the old one, forward its requests to one of the servers in this object group.

object-group network dns_servers
 network-object host 10.1.224.10
 network-object host 10.2.191.51

If you want your new DNS server to work as a recursive server, add this line to your ASA configuration:

access-list inside_access_in extended permit object-group TCPUDP host 10.236.72.3 any eq domain
resmon6
  • 1,352
  • 6
  • 8
  • Thanks for your help. I have added the access-list line to the ASA config and will test DSN traffic tonight. – Ash May 22 '12 at 04:41
0

Windows 2008 has an issue with TCP window autoscaling which breaks firewalls that use connection tracking (almost all do).

The issue and a fix for it are described here

https://blogs.msdn.com/b/wndp/archive/2007/07/05/receive-window-auto-tuning-on-vista.aspx?Redirected=true

topdog
  • 3,520
  • 17
  • 13