12-12-2003 02:02 PM - edited 02-20-2020 09:23 PM
The PIX 515 appears to be working, access is allowed where required, and blocked where not, but following a change to allow our internal lan to access the machines on the dmz, I'm getting pummeled with deny udp messages.
Items with an asterisk were added right before the messages started.
I was hoping someone could point me in the right direction.
Warning messages I am logging:
Deny udp src dmz:dns_content/10733 dst outside:198.41.0.10/53 by access-group "i2d"
Deny udp src dmz:dns_content/34052 dst outside:192.36.148.17/53 by access-group "i2d"
Deny udp src dmz:dns_content/48344 dst outside:193.0.14.129/53 by access-group "i2d"
Deny udp src dmz:dns_content/33441 dst outside:198.41.0.4/53 by access-group "i2d"
This is my pix 515 running configuration (relevant pieces anyways):
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
fixup protocol http 80
fixup protocol smtp 25
names
name 1.2.3.1 router
name 192.168.0.2 dns1i
name 192.169.0.3 dns2i
name 1.2.3.3 dns2o
name 1.2.3.4 dns1o
access-list o2i permit tcp any host dns1o eq pop3
access-list o2i permit tcp any host dns1o eq 993
access-list o2i permit tcp any host dns1o eq smtp
access-list o2i permit tcp any host dns1o eq imap4
access-list o2i permit tcp any host dns1o eq www
access-list o2i permit udp any host dns1o eq domain
access-list o2i permit udp any host dns2o eq domain
*access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
*access-list i2d permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 1.2.3.1 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 192.168.0.254 255.255.255.0
global (outside) 1 interface
*nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
*nat (dmz) 1 192.168.0.0 255.255.255.0 0 0
static (dmz,outside) dns1o dns1i netmask 255.255.255.255 0 0
static (dmz,outside) dns2o dns2i netmask 255.255.255.255 0 0
access-group o2i in interface outside
*access-group i2d in interface dmz
route outside 0.0.0.0 0.0.0.0 router 1
12-15-2003 07:43 AM
Hi,
it seems that DNS (udp/53) traffic is being initiated from the dmz to the outside world. If you don't want to allow this dns traffic, you could create an extra entry in i2d and turn logging of for that rule:
'access-list id2 deny tcp any any eq 53 log disable'
This rule (please doublecheck syntax) will still deny dns traffic and will not log the traffic. Is this the what you want to happen?
Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide