DNS Inspect invalid packet

Unanswered Question
Apr 8th, 2009

Hi all,

I am configuring a ASA 5510 and I have a proxy server (in inside interface) that must to connect at externals DNS.

I have created the rules and NATs necessary it, but I am not able to open any web page, just reach the web pages through ip address.

When I make the tests, I have received the message of drop: Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet message, but I do not know why!

Do you know why this is happing?

How can I fix this?

The rules follow bellow

acls

access-list inside_access_in extended permit udp host PROXY_INTERNET host x.x.x.x eq domain

nat

static (inside,outside) udp x.x.x.x domain PROXY_INTERNET domain netmask 255.255.255.255 dns

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect dns migrated_dns_map_1

!

service-policy global_policy global

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 04/08/2009 - 06:40

Just a little thought, first turn on logging on the ASA to review what is it complaining about on this DNS packet. Second you can also increase the packet size allowed:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1025

Actions

This Discussion