Original post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe7b88
I have configured hairpinning on our DMZ2 interface and it appears to be working for all traffic except DNS requests. When I to a packet-tracer on it I get the following error message:
(inspect-dns-invalid-pak) DNS Inspect invalid packet
I removed DNS inspection from the default inspection maps and policies but I still get the error. Here's the setup:
Pix 515e running 8.02 in failover.
E-mail server on DMZ2 10.0.x.12 NAT to outside address x.y.z.12
DNS server on DMZ2 10.0.x.252 NAT to outside address x.y.z.252
The e-mail server x.12 is pointing to root domain authority which replies with the DNS server x.252 as the NS for the domain it's trying to send mail to. So it tries to query the DNS server but fails with the error listed above.
Hairpinning config:
static (DMZ2,DMZ2) x.y.z.12 10.0.x.12 netmask 255.255.255.255
static (DMZ2,DMZ2) x.y.z.252 10.0.x.252 netmask 255.255.255.255
access-list DMZ2_access_in extended permit udp any any eq domain
Thanks for any and all assistance!