Re: dns on udp port 13568

mklimesch · ‎09-16-2003

hello,

i´ve updated my pix from pixos 6.3(1) to 6.3(3).

after the update, the pix drops dns requests on udp port 13568. but the dns requests use standard port 53.

here are the logs . . .

--> Sep 16 09:50:40 interface-outside.xxx.de %PIX-6-109015: Authorization denied (acl=#ACSACL#-PIX-xxxx-3f66c084) for user 'xxxx' from x.x.x.x/3267

to x.x.x.x/13568 on interface xxxx

can anybody explain this.

thanks in advance.

jmia · ‎09-16-2003

Hi -

Error Message - %PIX-6-109015: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name

Recommended Action: The access list check failed; either it matched a deny, or it matched nothing, such as an implicit deny. Connection denied by user access list acl_ID, which was defined per the AAA authorization policy on CiscoSecure ACS. This message works only with RADIUS protocol.

Hope this helps - Thanks, Jay.

mklimesch · ‎09-18-2003

hi,

thanks for your answer.

but my question is, why drops the pix a dns request on port 13568, even though the destination port is 53 ?

if i allow port 13568 on the pix, the request operates, and at my dns server the destination port which arrives, is 53 . . .

do you understand my problem ?

thanks in advance . . .

mostiguy · ‎09-18-2003

That log message makes it look like the packet source and destination addresses are 3267 and 13568. Any DNS packet should have a source or destination address of 53. Are you sure that the logged packet is a dns packet?

mklimesch · ‎09-19-2003

yes i am sure that the logged packet is a dns packet. i couldn´t do dns lookups till i permitted port 13568 to our dns server . . .

at the dns server there arrives the packet with port 53. the port is translated at the pix, but why ?

jmia · ‎09-19-2003

Hi -

Can you please provide the config on your PIX (please remember to change passwords / inside IPs).

Thanks -