Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
2
Replies

Some DNS traffic not traversing PIX...

abatson
Level 1
Level 1

‎10-22-2006 05:37 AM - edited ‎02-21-2020 01:15 AM

Is this a problem with the DNS fixup? I have a new PIX 501 that I have in place on my home network - Its attached to Verizon FiOS via PPPoE. DNS queries from PCs on the network work perfectly, however, the DNS queries initiated by the Verizon CATV Set-Top boxes do not traverse the firewall.

While sniffing inside the PIX, I see the "Standard Query" sent to the proper DNS servers, but no 'Response'. When I sniff outside the PIX, I see *no* Requests nor answers at all. Therefore, the request is not being sent thru the PIX on the way out to the Internet.

Further testing shows that I can put the IP from the Set Top box on my laptop, and I can surf the Internet & DNS queries just fine - this shows that NAT is set up properly.

My Inside and Outside ACLs all say 'permit ip any any', and 'permit icmp any any'.

The ultimate control test - I can take the PIX out of the network, and substitute a simple 3COM SOHO router, and the DNS queries work just fine, and the Set Top box works fine.

What is it about the PIX that would cause some queries to traverse, and other to not traverse? --No permit/deny/errors are logged on syslog when the DNS fails to traverse.

0 Helpful
2 Replies 2

ecouto
Level 1
Level 1

‎10-24-2006 02:32 AM

Did you try to disable the dns fix-up? or increase the DNS packet size (default is 1024) in the fixup?

What version do you have? support "capture"? What logging level did you setup? locally or syslog?

If you give more info maybe I can give you a hand.

Emilio

0 Helpful

abatson
Level 1
Level 1
In response to ecouto

‎10-24-2006 05:42 AM

I fixed the problem myself. Even tho my sniffer was seeing DNS Requests, I was getting no entries under Xlate, or 'conn' on the firewall. I then sniffed the DHCP packet going to the set-top box, and found that it was receiving the wrong default gateway (this is why the PIX, as the gateway, never saw the traffic). Remember that this is a set-top-box, with no interface for me to see what the configured DNS, or GWs are.

Once I corrected that problem, the set-top box reached thru the PIX & got its proper DNS info. It appeared in XLate and conn too.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card