[nsp] PIX deny UDP

Darren Bolding darren@bolding.org
Mon, 14 Oct 2002 09:29:11 -0700 

53/TCP can also be used for lookup's, but this is not commonly used.

FYI.

--D

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net] On Behalf Of Jarrod Baumann
Sent: Monday, October 14, 2002 6:22 AM
To: cisco-nsp
Cc: odusseus
Subject: Re: [nsp] PIX deny UDP

Actually.. by default PIX does somewhat "stateful" UDP connections.  If
you have an outgoing DNS query it will keep the outgoing UDP connection
in its state table and allow *1* corresponding packet back thru as long
as it is going from a higher security interface to a lesser one.  I
believe
DNS is one of the fixup protocols by default.  

If you are going from an interface with lesser security, you will need 
either a conduit(old) or an access-list provided there is no NAT.. in
that case you would also need a static translation.  

53/TCP is only for zone transfers, not lookups.

Jarrod

On 14 Oct 2002, Christopher McCrory wrote:

:Hello...
:
:you might want to add tcp also as DNS uses both udp and tcp
:
:conduit permit udp host 10.10.10.10 eq 53 any
:conduit permit tcp host 10.10.10.10 eq 53 any
:
:
:It also helps if you post the real addresses. then others could
actually
:make queries and respond with a more informed answer.
:
:On Mon, 2002-10-14 at 04:41, odusseus wrote:
:> Hi,
:> 
:> In order to allow external hosts to reach my DNS server I add this
few lines on the PIX (515, IOS 6.2(1)):
:> 
:> conduit permit udp host 10.10.10.1 eq 53 any
:> conduit permit udp host 10.10.10.1 any  eq 53
:> 
:> When I send a DNS request from an internal host, without passing
through the PIX, it works fine.
:> 
:> But I when I send a DNS request from an external host, it has to pass
through the PIX and it failed.
:> The host does not receive any answer due to timeout (5sec), although
the udp timeout from the PIx has been set up to 2 min.
:> 
:> I got the following log message from the PIX:
:> 
:> %PIX-2-106007: Deny inbound UDP from 192.168.1.1/4168 to
10.10.10.1/53 due to DNS Query
:> 
:> When I run a tcpdump on the DNS server, I have no trace of any
incoming packets so I conclude that the PIX is stopping this traffic.
:> 
:> Why is the PIX is behaving this way?
:> 
:> If someone has any idea to share, he is very much welcome.
:> 
:> Thank you.
:> 
:> Regards,
:> 
:> Christophe
:> ------------------------------------------
:> 
:> Faites un voeu et puis Voila ! www.voila.fr 
:> 
:> _______________________________________________
:> cisco-nsp mailing list  real_name)s@puck.nether.net
:> http://puck.nether.net/mailman/listinfo/cisco-nsp
:> archive at http://puck.nether.net/pipermail/cisco-nsp/
:

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/