Firewall Wizards mailing list archives
Re: Cisco FWSM/ASA Question
From: "Farrukh Haroon" <farrukhharoon () gmail com>
Date: Mon, 6 Aug 2007 11:06:24 +0300
Hello Mathew On which zone is the Domain Controller and on which zone is the Client? Is there a possibility that another DNS Server is responding to requests? As per the Cisco Documentations: 106007 Error Message %FWSM-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}. Explanation This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied. Recommended Action If the inside port number is 53, the inside host probably is set up as a caching name server. Add an *access-list* command statement to permit traffic on UDP port 53. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server. Since everything is allowed, it cannot be a ACL issue. Regards Farrukh On 7/27/07, Matthew Watkins <matt () idnet net> wrote:
I'm investigating a problem with Windows clients computers situated behind a pair of redundant firewall services modules (installed in a Cisco Catalyst 6513 switch). There's a new domain controller on one VLAN, and our Windows/PC clients sit on another. Both networks are routed through the FWSM, and general network connectivity seems fine. The firewall blades are running the latest version of the FWSM/ASA code: FWSM Firewall Version 3.1(6) Basically, my Mac laptop running OS X seems to connect to all parts of the network without problems. It can mount shares, resolve DNS etc... However, the Windows desktop clients seem unable to logon to the domain when booted up behind the firewall. Initially, I thought the problem might be related to DNS protocol inspection, since we were seeing the log messages below: Jul 26 16:55:21 cam-sh-fw1-inside.redstardevelopment.com % FWSM-2-106007: Deny inbound UDP from 172.17.50.3/53 to 172.29.6.2/1026 due to DNS Response I've subsequently removed DNS inspection from the global default rules, but it hasn't made any difference. This is a new site which we are in the process of building, so the access-lists for both networks are currently wide open: access-list PERMISSIVE extended permit ip any any access-group PERMISSIVE in interface inside access-group PERMISSIVE in interface office-wired access-group PERMISSIVE in interface office-dmz We've created a stripped down domain user account, with no DFS shares or home drive mappings, and this user account can successfully login to the domain. Our servers are all running Win2K3. Any ideas what the problem might be? I'm not seeing messages in the logs, and I'm a bit confused about the possible cause... Any ideas gratefully received! - Matt _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco FWSM/ASA Question Matthew Watkins (Aug 01)
- Re: Cisco FWSM/ASA Question Paul Melson (Aug 01)
- Re: Cisco FWSM/ASA Question Matthew Watkins (Aug 21)
- Re: Cisco FWSM/ASA Question Farrukh Haroon (Aug 21)
- Re: Cisco FWSM/ASA Question Paul Melson (Aug 01)