in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 02-05-2010 12:53 AM by Kingsley. 3 replies.
Page 1 of 1 (4 items)
Sort Posts: Previous Next
  • 02-04-2010 8:02 PM

    ASA %ASA-2-106007: Deny inbound UDP from PROBLEM

    Hi Im expecting this trouble with one of my lab, this is in production and I am getting this message about query DNS, my dns request or queries are not completed.

    My  DNS is at inside and my users requesting the dns queries are at outside, there is no nat control in the FW, So I just have the access-rules to allow the dns request from outside to inside ( actually the request are allowed in the log) and then I get the message :

    %ASA-2-106007: Deny inbound UDP from Inside 10.236.23.1 to outside 10.34.2.2 response.

    I did the following:

    I disabled the dns inspect ---- not works

    I change the max dns packet ---- not works

    I created static rule with nat 0 ---- not works

    I created the static nat 0 with dns doctoring ---- not works

     

    I guess the dns doctoring would make that this works but is not helping.

     

    Somebody help me!!!

     

    Thanks

    • Post Points: 20
  • 02-04-2010 10:08 PM In reply to

    Re: ASA %ASA-2-106007: Deny inbound UDP from PROBLEM

    Seems to be a problem in the DNS connection. Actually, I didn't get the position of your IP addresses.  Just try to add an ACL permitting the DNS traffic.

    access-list dns permit udp any 53 any

     

    It seems, there is a mismatch between the request packet and response packet.

     

     

    106007

    Error Message    %PIX|ASA-2-106007: Deny inbound UDP from outside_address/outside_port 
    to inside_address/inside_port due to DNS {Response|Query}.
    

    Explanation    This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.

    Recommended Action    If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.

     

    http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html

     

     

    With regards

    Kings

     

    With regards
    Kings
    CCNA,CCSP,CCNP,CCIP,CCIE #35914 (Security)

    • Post Points: 20
  • 02-04-2010 11:45 PM In reply to

    Re: ASA %ASA-2-106007: Deny inbound UDP from PROBLEM

    Hey Kingsley, in fact I have to acls, one for inbound and outbound, Im allowing tcp and udp domain ports, the first connection or the dns query get inside through the outside interface and then when the replies is getting back the message appears. Both acls are matching packets.

    about my analogy jeje this can help:

    as example my dns server is 10.236.23.2 INSIDE, and the request comes from a host in outside 10.23.3.4

    %PIX|ASA-2-106007: Deny inbound UDP from INSIDE ( 10.236.23.2/53)
    to OUTSIDE (10.23.3.4)  due to DNS Response

    It is so weird, I thought maybe with redirection port to other equipment  to make a kind of bypass of the inspection, because the fw is taking this event like an attack.

    Any other idea?

    Thanks for your help

    • Post Points: 20
  • 02-05-2010 12:53 AM In reply to

    Re: ASA %ASA-2-106007: Deny inbound UDP from PROBLEM

    On the inside interface, can you try to add the following:

    access-list dns permit ip any any

    access-group in interface inside

    This should permit any traffic.

    If you are still facing the issue even after adding the above command, then there is a problem in the response packet.

    The inspection check is failing, there is something in the response packet for which the ASA is dropping the packet.

     

    As per the Cisco error doc, this error would come, if the response comes from a DNS server that is different from which the request was sent to. 

     

    May be, if you can put the complete picture of your deployment, it would be be helpful.

     

    With regards

    Kings

     

    With regards
    Kings
    CCNA,CCSP,CCNP,CCIP,CCIE #35914 (Security)

    • Post Points: 5
Page 1 of 1 (4 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved