Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
1
Replies

A browser can't load the image through the PIX

peter_chan
Level 1
Level 1

‎12-18-2006 06:27 PM - edited ‎03-11-2019 02:10 AM

My customer got a weird problem:

There is a site which has some computer and the compture will pass through a PIX before they go to internet.

They find that if they browser HSBC or Microsoft website through the PIX. They sometimes can't load the image of the Website

However, if they bypass the firewall to go to the internet, everything will become normal. Is there any setting in the PIX firewall will causes this problem?

Labels:
0 Helpful
1 Reply 1

Patrick Iseli
Level 7
Level 7

‎12-19-2006 07:51 AM

The dns server might be unable to resolve some names ?

FIXUP : dns maximum-length length - Specifies the maximum DNS packet length allowed.

Default is 512 bytes.

To diable it use:

no fixup protocol dns maximum-length 512

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Note The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes. A syslog message will be generated when a DNS packet is dropped.

The no fixup protocol dns command disables the DNS fixup. The clear fixup protocol dns resets the DNS fixup to its default settings (512 byte maximum packet length).

Note If the DNS fixup is disabled, the A-record is not NATed and the DNS ID is not matched in requests and responses. By disabling the DNS fixup, the maximum length check on UDP DNS packets can be bypassed and packets greater than the maximum length configured will be permited.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card