[nsp] Re: [nsp] PIX deny UDP

Zhang, Anchi AZhang@reliant.com
Mon, 14 Oct 2002 12:47:54 -0500


>From your PIX log, it is clear that the PIX is blocking incoming packets =
to your nameserver at UDP 53.  From your explanations it seems that your =
configs are correct and that my suggestions that you should look for =
suspicious denies before the permit and try

access-list outside permit udp any eq domain host 10.10.10.1
access-group outside in interface outside

did not help.  The only two things left to suggest are

1. clear xlate (you will lose all the ongoing TCP sessions).
2. send us (or just me) your configs, even your partial configs with IP =
addresses modified that you think are related to this problem if you =
wish.

Anchi


-----Original Message-----
From: odusseus [mailto:odusseus@voila.fr]
Sent: Monday, October 14, 2002 10:38 AM
To: cisco-nsp
Subject: [nsp] Re: [nsp] PIX deny UDP


Hi,

> you might want to add tcp also as DNS uses both udp and tcp
>=20
> conduit permit udp host 10.10.10.10 eq 53 any
> conduit permit tcp host 10.10.10.10 eq 53 any

I tried, without result. I also modified my access-list, there is no =
matches for tcp but it has for udp.

With the udp port an internal host can get answers from the DNS server.
External host cannot. the main difference are the routers, the VLANs =
involved and the PIX.

The last trace of the DNS query from the external host is on the PIX. A =
tcpdump on the server showes no incoming packet a  part from the ICMP =
ones.

Thank you.

Regards,

Christophe
------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr=20

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/