01-25-2018
02:07 PM
- last edited on
02-21-2020
11:35 PM
by
cc_security_adm
So I am stuck between a rock and a hard place with this client. They were sold them ISE to use for their guest wireless. They were also sold anchor WLC's to use to for their guest wireless to make it more secure. The problem I am having is at one site, they need to use DNS rewrite for one NAT statement, which requires DNS inspection to be enabled. The NAT statement is to allow their current and new (when it goes in to prod) guest wireless to reach their Citrix server. Well, since they are using ISE, the guest wireless clients need to be able to resolve the hostname of the ISE server in the web redirect. I know you can set ISE to use the IP address, but that will give them cert errors and that's a no-no.
When I test DNS resolution using the internal DNS servers from the guest wireless, it fails with DNS inspection enabled. When DNS inspection is off, it works fine. Is there any sort of workaround for this or is it just not going to work?
TIA,
Dan
01-25-2018 02:21 PM
What is doing the DNS inspection?
01-25-2018 02:28 PM
FTD appliance that is managed by FMC. Running 6.2.2 on both.
01-25-2018 02:33 PM
It almost smells like a bug. I'm not sure of the merit, but I see there is 6.2.2.1.
There is one DNS bug listed as fixed but it doesn't sound related.
01-25-2018 07:11 PM
So you are saying that even with DNS inspection enabled that I should be able to reach internal DNS servers from the DMZ? I was getting this error when testing:
inspect-dns-invalid-pak
Only fix I could find was to disable DNS inspection.
08-11-2020 09:09 AM
I do packet tracers of UDP port 53, dns and on our FTD it will show allow then randomly it will show being blocked with same error. Strange! Inspect DNS is enabled, but why does it allow then not allow?
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet, Drop-location: frame 0x000055fba58abf01 flow (NA)/NA
using
Model : Cisco Firepower 4115 Threat Defense (76) Version 6.6.0 (Build 90)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide