Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
1
Replies

Hairpinning DMZ DNS traffic

mismtk2007
Level 1
Level 1

‎11-13-2007 10:54 AM - edited ‎03-03-2019 07:32 PM

Original post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe7b88

I have configured hairpinning on our DMZ2 interface and it appears to be working for all traffic except DNS requests. When I to a packet-tracer on it I get the following error message:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I removed DNS inspection from the default inspection maps and policies but I still get the error. Here's the setup:

Pix 515e running 8.02 in failover.

E-mail server on DMZ2 10.0.x.12 NAT to outside address x.y.z.12

DNS server on DMZ2 10.0.x.252 NAT to outside address x.y.z.252

The e-mail server x.12 is pointing to root domain authority which replies with the DNS server x.252 as the NS for the domain it's trying to send mail to. So it tries to query the DNS server but fails with the error listed above.

Hairpinning config:

static (DMZ2,DMZ2) x.y.z.12 10.0.x.12 netmask 255.255.255.255

static (DMZ2,DMZ2) x.y.z.252 10.0.x.252 netmask 255.255.255.255

access-list DMZ2_access_in extended permit udp any any eq domain

Thanks for any and all assistance!

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎11-19-2007 11:45 AM

I think the reason may be in internal DNS server due to misconfiguration check that one( clear the internal arp cache on edge router for DNS work and then try again) and also verify the ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card