cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2664
Views
5
Helpful
3
Replies
deyster94
Contributor

FMC/FTD DNS inspection issues

To all:

 

I am trying to configure FMC/FTD to use my clients internal DNS servers for guest wireless.  The interface for the guest wireless hangs off the FTD appliance and I have the policy built in FMC to allow DNS traffic from the guest wireless network inbound and vice versa.  However, in the one location, they must have DNS inspection for one NAT statement that requires DNS doctoring.  If I disable DNS inspection, they can reach the internal DNS servers.  Otherwise, it fails with the following drop-reason:

 

 (inspect-dns-invalid-pak) DNS Inspect invalid packet

 

I can't figure out how to get around this problem in FTD.  

 

TIA for any ideas,

 

Dan

3 REPLIES 3
nathan40
Beginner

Did you ever figure this out? I am having trouble even disabling inspection of DNS. Did you use the flexconfig to disable inspection?

WeedyNaana2308
Beginner

I am not sure if this still a problem, but have you looked at creating a FlexConfig to not inspect DNS traffic? If this what you are after?

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-advanced.html#concept_53C22C306B57480D99DB905E90D5FDC9

We are looking at doing something similar for Cisco Umbrella as DNS traffic cannot be inspected due to encryption to the Cisco Umbrella Cloud.

 

Did the flexconfig resolve your encrypted DNS traffic to Umbrella issue?

Create
Recognize Your Peers
Content for Community-Ad