-2

I have encountered a problem with the possibility that a client on the network that resides within the Cisco ASA can query queries on a non existent DNS server.

ASA Version 8.4(2)

hostname ciscoasa names

interface Ethernet0/0 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1 nameif inside security-level 100 ip address 210.0.2.9 255.255.255.252

interface Vlan2 nameif outside security-level 0 ip address 210.0.2.2 255.255.255.252

object network inside host 210.0.2.10 object network outside host 210.0.2.1

route outside 0.0.0.0 0.0.0.0 210.0.2.1 1 route inside 0.0.0.0 0.0.0.0 210.0.2.10 1

access-list IN-OUT extended permit tcp any any eq www

access-list IN-OUT extended permit tcp any any eq domain

access-list IN-OUT extended permit tcp any any eq smtp

access-list IN-OUT extended permit tcp any any eq pop3

access-list IN-OUT extended permit udp any any eq domain

access-list IN-OUT extended permit icmp any any

access-list OUT-Server extended permit tcp any any eq domain

access-list OUT-Server extended permit tcp any any eq smtp

access-list OUT-Server extended permit tcp any any eq pop3

access-list OUT-Server extended permit udp any any eq domain

access-list OUT-Server extended permit icmp any any

access-group IN-OUT in interface inside

access-group OUT-Server in interface outside

access-group IN-OUT out interface inside

access-group OUT-Server out interface outside

telnet timeout 5 ssh timeout 5

Thank you for watching my writing.

병민이
  • 1
  • 1

1 Answers1

0

Your question seem to be somewhat vague. Are you trying to force the clients to access specific DNS servers? If that is the case, you need to fix your ACL where it is allowing "domain" traffic to "any" servers.

You need to add access to specific servers on UDP/TCP port 53. (Mostly it will be UDP, however, TCP is used for Zone transfer and payload over 512bytes).

Nish
  • 1