Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

Explosion of log messaged following inside to DMZ access-list

waifurchin
Level 1
Level 1

‎12-12-2003 02:02 PM - edited ‎02-20-2020 09:23 PM

The PIX 515 appears to be working, access is allowed where required, and blocked where not, but following a change to allow our internal lan to access the machines on the dmz, I'm getting pummeled with deny udp messages.

Items with an asterisk were added right before the messages started.

I was hoping someone could point me in the right direction.

Warning messages I am logging:

Deny udp src dmz:dns_content/10733 dst outside:198.41.0.10/53 by access-group "i2d"

Deny udp src dmz:dns_content/34052 dst outside:192.36.148.17/53 by access-group "i2d"

Deny udp src dmz:dns_content/48344 dst outside:193.0.14.129/53 by access-group "i2d"

Deny udp src dmz:dns_content/33441 dst outside:198.41.0.4/53 by access-group "i2d"

This is my pix 515 running configuration (relevant pieces anyways):

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

fixup protocol http 80

fixup protocol smtp 25

names

name 1.2.3.1 router

name 192.168.0.2 dns1i

name 192.169.0.3 dns2i

name 1.2.3.3 dns2o

name 1.2.3.4 dns1o

access-list o2i permit tcp any host dns1o eq pop3

access-list o2i permit tcp any host dns1o eq 993

access-list o2i permit tcp any host dns1o eq smtp

access-list o2i permit tcp any host dns1o eq imap4

access-list o2i permit tcp any host dns1o eq www

access-list o2i permit udp any host dns1o eq domain

access-list o2i permit udp any host dns2o eq domain

*access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

*access-list i2d permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 1.2.3.1 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip address dmz 192.168.0.254 255.255.255.0

global (outside) 1 interface

*nat (inside) 0 access-list no_nat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

*nat (dmz) 1 192.168.0.0 255.255.255.0 0 0

static (dmz,outside) dns1o dns1i netmask 255.255.255.255 0 0

static (dmz,outside) dns2o dns2i netmask 255.255.255.255 0 0

access-group o2i in interface outside

*access-group i2d in interface dmz

route outside 0.0.0.0 0.0.0.0 router 1

Labels:
0 Helpful
1 Reply 1

tvanginneken
Level 4
Level 4

‎12-15-2003 07:43 AM

Hi,

it seems that DNS (udp/53) traffic is being initiated from the dmz to the outside world. If you don't want to allow this dns traffic, you could create an extra entry in i2d and turn logging of for that rule:

'access-list id2 deny tcp any any eq 53 log disable'

This rule (please doublecheck syntax) will still deny dns traffic and will not log the traffic. Is this the what you want to happen?

Regards,

Tom

0 Helpful
Customers Also Viewed These Support Documents