Announcement

Collapse
No announcement yet.

cisco ASA firewall issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco ASA firewall issue

    Dear All,

    I m quite a novice in cisco firewall products and really apprecite your kind help
    we have a new
    cisco ASA firewall. cisco ASA 5520 series ios ver 8.2

    my earlier linux shorwall firewall was used in 2 interface mode

    so i jus had a exact replica of the rules. and put the asa online

    Every thing was working but from outside world our internal public
    websites could not be reached . also mail from yahoo or google bounce back
    and also not able to send mail to yahoo.

    we do have our own dns server using bind 9 hosting a couple of websites

    i reverted back to my shorewall firewall and things were working fine.

    then i jus got the clue of message size for ASA .. that is the last server
    which was rolled to dns sec and the message length has to be increased to
    4096. so the second time

    so i did the following on my ASA

    jus to check i ran

    sh run policy policy-map type inspect dns
    and it showed me message length size maximun 512

    so i did the changeonf t
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 4096
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map

    and then the show run policy-map was showing me message length maximum as
    4096

    then i put my firwall online and it was working. i mean i did send mail to
    yahoo from my mail server and also replied it worked fine

    but after 30 minutes our network became very very slow as if crawling

    i removed the cisco asa network cables and reverted back to my shorewall
    firewall and all was well immeditely

    then also one of user called me that the website was not working.
    then i found that my immedite upstream ISP dns was not able to resolve the
    sites which my dns server is authorative

    i tried to resolve from google public dns (8.8.8. and i could resolve it

    calling the isp dns admin he said he would check and after 4 hrs the isp
    dns could resolve my website he told me that he had to update his dns
    serverand that i had changed the ip address of my web sites or my dnd
    server had a problem. which was neither

    now im jus wondering what exactly could be the problem.would the above change of changing the message length to 4096 could have cause the problem.. that is change records in my isp dns

    since i dont want to put the cisco ASA online without being positive that
    it gonna work smooth

    also after googling i see that the change is not required
    and some post say instead of jus haveing the message length maximum to 4096
    i could have

    message-length maximum client auto
    message-length maximum 512


    now I am jus wondering how could i go about this
    also its gonna be my third time i would be shutting down my network

    if its small time its OK and problm is in my network its OK not a big issue
    but if soemthing goes wrong and does change my dns records in my ISp dns it would be a big serious issue cause it would take lots of delay and also their response is very slow

    apprecite your real help and advice


    regards

    simon

  • #2
    Re: cisco ASA firewall issue

    Hi sylvan_2804,

    My advise is to disable the DNS inspection and I am going to tell you why say that. Basically when DNS inspection is turned (which it is by default) it "translates" or re-writes the A record on a DNS request. That is probably what caused the ISP to think that the DNS record changed and so had not updated on their servers. Below is a link that explains the DNS inspect (DNS rewrite).

    http://www.cisco.com/en/US/docs/secu...html#wp1719130

    Ryan

    Comment


    • #3
      Re: cisco ASA firewall issue

      Dear Ryan,

      Thanks a million and really apprecite your immedite and wise reply. just reading and googling i found that ASA with 8.2 or latter i can just set the message length to auto

      so i could have the below command

      message-length maximum client auto
      message-length maximum 512

      and can u pls tell me what is the exact command for disabling dns inspection

      sorry for being so immature but just want to be cautious and when i do plug in the ASA firewall in my network want it to work and not have the problem the 3rd time,

      specially dont want my ISP servers to think my A records have changed

      cause i had real tough time to contact my isp almost 8 hrs and only after that things were OK eevn though after 30 min to 45 min i had put back my linux shorewall firewall.

      also the guy claimed he had to update his dns .. i dont know wht he meant by that

      so thanks a lots once again and really would apprecite your help

      Comment


      • #4
        Re: cisco ASA firewall issue

        Your Welcome... the command is 'no inspect dns [map_name]' to disable the dns inspection.

        Ryan

        Comment


        • #5
          Re: cisco ASA firewall issue

          Dear Ryan,

          Thanks for the immediate reply. ur reply has been so wise and so simple ..
          I had posted a post but it did not show up here so sending it again
          as you know I had run the below commands

          policy-map type inspect dns preset_dns_map
          > parameters
          > message-length maximum 4096
          > policy-map global_policy
          > class inspection_default
          > inspect dns preset_dns_map


          so now jus to revise again and take your wise advise i guess i need to do the following in steps

          policy-map type inspect dns preset_dns_map
          > parameters
          >message-length maximum client auto
          >message-length maximum 512
          >policy-map global_policy
          > class inspection_default
          and
          > no inspect dns preset_dns_map


          i guess these steps are pricise and am not missing anything.
          nd guess when i do get my asa online everything should go smooth
          plss do let me know about this

          as you know i just have fears and dont wanna get into the same mess the 3rd time

          as I had mentioned before if there is som issues about accessing our servers or other services its not a real problem cause tch back to my linux shorewall firewall but if my upsteamm ISP dns is not able to resolve my websites its really a mess cause the isp admins are extremely slow in response

          also as a matter of curiosity i had 2 issues that had been noticed after i had the asa put online with the above commands.

          1) our network became extremly slow as if it was crawling and that too after 20 to 30 minutes or so let me explain on tht

          after checking that i cd send and receive mail from my network i did go home and I do have a dsl 2mb link direct to my company
          normally if i do ping from my home pc to any network servers or routers the delay is abt 10 to 15 ms
          but that time i used to get so request time out. also ssh to my routi had to wait for over a min and when entering the username the letters were crawling.
          also the remote users had problem accessing our sites

          soon the cisco asa was disconnected and linux firewall was put back and then immeditely the network was normal as before

          aand then i just noticed that my immediate upstream ISP has resolving problem to which your reply was so wise n perfectly genuine which goes saying that the dns inspection cause the issues

          but just wondering if the same thing caused my network to bog down

          once again thnks a million and do apprecite if i am missing something on my cisco ASA before i put it online..

          I do feel so stupid for being like a kid n do apolosize for the same .. and also apprecite your infinite patience and understanding.


          regards

          simon

          Comment


          • #6
            Re: cisco ASA firewall issue

            Dear Ryan,

            I am goin to hook my firewall tomorrow so just wanna be sure before i do it..

            so would highly apprecite if you could just go through my last post and advice me.

            below i repeat
            policy-map type inspect dns preset_dns_map
            > parameters

            > message-length maximum 4096
            > policy-map global_policy
            > class inspection_default
            > inspect dns preset_dns_map


            so now jus to revise again and take your wise advise i guess i need to do the following in steps

            policy-map type inspect dns preset_dns_map
            > parameters
            >message-length maximum client auto
            >message-length maximum 512
            >policy-map global_policy
            > class inspection_default
            and
            > no inspect dns preset_dns_map


            will having client auto and max length 512 is Ok or just need client auto without max length 512

            highly would apprecite your reply


            regards

            simon

            Comment


            • #7
              Re: cisco ASA firewall issue

              Originally posted by benedict View Post
              Dear Ryan,

              I am goin to hook my firewall tomorrow so just wanna be sure before i do it..

              so would highly apprecite if you could just go through my last post and advice me.

              below i repeat
              policy-map type inspect dns preset_dns_map
              > parameters

              > message-length maximum 4096
              > policy-map global_policy
              > class inspection_default
              > inspect dns preset_dns_map


              so now jus to revise again and take your wise advise i guess i need to do the following in steps

              policy-map type inspect dns preset_dns_map
              > parameters
              >message-length maximum client auto
              >message-length maximum 512
              >policy-map global_policy
              > class inspection_default
              and
              > no inspect dns preset_dns_map


              will having client auto and max length 512 is Ok or just need client auto without max length 512

              highly would apprecite your reply


              regards

              simon

              By disabling the DNS inspection map all of the configuration settings you have configured for the DNS inspection-map will be disabled.I think you should be ok. As always back your config up so that if something gets FUBARed then it's easy to but everything back. If you need more assistance we can talk offline and then once you are up and running post your fix so that all can share the "wealth" so to speak. I am available via IM... I would just need a post to coordinate with you.

              Comment


              • #8
                Re: cisco ASA firewall issue

                Dear Ryan,

                Really apprecite your help.
                to be honest with you im not cisco expert but just geting to do things arround
                been working more on linux but as a network admin have to handle various tasks including windows servers, SEPM, and various networking devices mostly cisco routers and switches.
                the firewall is the first.
                Infact shorewall too ius a excellent product.. absolutely had no issues for the past 5 to 6 years
                hard ware was just pentium 3 machines with 384 ram..
                guess u gonna hav a loud laugh

                by the way i would just like to know the client length command

                message-length maximum client auto
                message-length maximum 512

                should I have both of these or just the first will do or having both does not matter
                wait for you reply

                thanks and regards

                once again for you kind help

                nd sure i gonna post my reply

                Comment


                • #9
                  Re: cisco ASA firewall issue

                  Having them both should not matter as long as the inspection is disabled. In fact I would leave them in case at some point you want to tighten things up and start inspecting dns traffic... you will have minimal configuration to do.

                  Comment


                  • #10
                    Re: cisco ASA firewall issue

                    dear Ryan,

                    Thanks so much once againi disble the dns inspection

                    I jus to paste here a part of the config ... guess its OK now

                    the config which was before
                    ----------------------------------
                    threat-detection statistics access-list
                    no threat-detection statistics tcp-intercept
                    webvpn
                    !
                    class-map inspection_default
                    !
                    !
                    policy-map type inspect dns preset_dns_map
                    parameters
                    message-length maximum 512
                    message-length maximum client auto
                    policy-map global_policy
                    class inspection_default
                    inspect dns preset_dns_map
                    inspect ftp
                    inspect h323 h225
                    inspect h323 ras
                    inspect rsh
                    inspect rtsp
                    inspect esmtp
                    inspect sqlnet
                    inspect skinny
                    inspect sunrpc
                    inspect xdmcp
                    inspect sip
                    inspect netbios
                    inspect tftp
                    !
                    service-policy global_policy global
                    prompt hostname context
                    Cryptochecksum:60928a3d5da7dbdcce2745e8ddd7ad23

                    -------------------------------------------

                    this is after i removed dns inspection


                    ssh timeout 5
                    console timeout 0
                    threat-detection basic-threat
                    threat-detection statistics access-list
                    no threat-detection statistics tcp-intercept
                    webvpn
                    !
                    class-map inspection_default
                    !
                    !
                    policy-map type inspect dns preset_dns_map
                    parameters
                    message-length maximum 512
                    message-length maximum client auto
                    policy-map global_policy
                    class inspection_default
                    inspect ftp
                    inspect h323 h225
                    inspect h323 ras
                    inspect rsh
                    inspect rtsp
                    inspect esmtp
                    inspect sqlnet
                    inspect skinny
                    inspect sunrpc
                    inspect xdmcp
                    inspect sip
                    inspect netbios
                    inspect tftp
                    !
                    service-policy global_policy global
                    prompt hostname context
                    Cryptochecksum:d8e98dc17ebbd781d1c7d45bbb015714
                    : end


                    Guess this should be fine

                    once again so sorry for he bother and really apprecite you patience

                    pls do let me know

                    regards

                    simon

                    Comment

                    Working...
                    X