[nsp] PIX deny UDP
Christopher McCrory
cisco-nsp <cisco-nsp@puck.nether.net>
14 Oct 2002 06:33:19 -0700
Hello...
you might want to add tcp also as DNS uses both udp and tcp
conduit permit udp host 10.10.10.10 eq 53 any
conduit permit tcp host 10.10.10.10 eq 53 any
It also helps if you post the real addresses. then others could actually
make queries and respond with a more informed answer.
On Mon, 2002-10-14 at 04:41, odusseus wrote:
> Hi,
>
> In order to allow external hosts to reach my DNS server I add this few lines on the PIX (515, IOS 6.2(1)):
>
> conduit permit udp host 10.10.10.1 eq 53 any
> conduit permit udp host 10.10.10.1 any eq 53
>
> When I send a DNS request from an internal host, without passing through the PIX, it works fine.
>
> But I when I send a DNS request from an external host, it has to pass through the PIX and it failed.
> The host does not receive any answer due to timeout (5sec), although the udp timeout from the PIx has been set up to 2 min.
>
> I got the following log message from the PIX:
>
> %PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to 10.10.10.1/53 due to DNS Query
>
> When I run a tcpdump on the DNS server, I have no trace of any incoming packets so I conclude that the PIX is stopping this traffic.
>
> Why is the PIX is behaving this way?
>
> If someone has any idea to share, he is very much welcome.
>
> Thank you.
>
> Regards,
>
> Christophe
> ------------------------------------------
>
> Faites un voeu et puis Voila ! www.voila.fr
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.