Cisco ASA Security Levels

MOD-NETWORK · April 8, 2018, 11:15am

Hi, Thanks From Post,
i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?
----------------------------------------------------------------------------------------------------------------------------

ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6  53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   6.6.6.6         255.255.255.255 inside

Result:
input-interface: TO-OUT
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

**ASA3/SRV-A(config)# show run**
: Saved
:
: Serial Number: 123456789AB
: Hardware:   ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
:
ASA Version 9.1(5)16 <context>
!
hostname SRV-A
domain-name mod.gov.af
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 172.16.3.1 255.255.255.0
 hold-time eigrp 100 60
!
interface Ethernet2
 nameif TO-OUT
 security-level 0
 ip address 172.16.8.2 255.255.255.0
 hold-time eigrp 100 60
!
dns server-group DefaultDNS
 domain-name mod.gov.af
access-list icmp extended permit icmp any any
pager lines 24
mtu inside 1500
mtu TO-OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group icmp in interface TO-OUT
!
router eigrp 100
 eigrp router-id 33.33.33.33
 network 172.16.3.0 255.255.255.0
 network 172.16.5.0 255.255.255.0
 network 172.16.8.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  message-length maximum server auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:bc0fd5f01c98ca935e7632181d832257
: end