DNS Inspect invalid packet

Unanswered Question
Apr 8th, 2009
User Badges:

Hi all,

I am configuring a ASA 5510 and I have a proxy server (in inside interface) that must to connect at externals DNS.

I have created the rules and NATs necessary it, but I am not able to open any web page, just reach the web pages through ip address.

When I make the tests, I have received the message of drop: Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet message, but I do not know why!

Do you know why this is happing?

How can I fix this?

The rules follow bellow


access-list inside_access_in extended permit udp host PROXY_INTERNET host x.x.x.x eq domain


static (inside,outside) udp x.x.x.x domain PROXY_INTERNET domain netmask dns

policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect dns migrated_dns_map_1


service-policy global_policy global


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 04/08/2009 - 06:40
User Badges:
  • Cisco Employee,

Just a little thought, first turn on logging on the ASA to review what is it complaining about on this DNS packet. Second you can also increase the packet size allowed:

policy-map type inspect dns migrated_dns_map_1


message-length maximum 1025


This Discussion