cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2241
Views
0
Helpful
1
Replies

DNS Inspect invalid packet

leandro.candido
Level 1
Level 1

Hi all,

I am configuring a ASA 5510 and I have a proxy server (in inside interface) that must to connect at externals DNS.

I have created the rules and NATs necessary it, but I am not able to open any web page, just reach the web pages through ip address.

When I make the tests, I have received the message of drop: Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet message, but I do not know why!

Do you know why this is happing?

How can I fix this?

The rules follow bellow

acls

access-list inside_access_in extended permit udp host PROXY_INTERNET host x.x.x.x eq domain

nat

static (inside,outside) udp x.x.x.x domain PROXY_INTERNET domain netmask 255.255.255.255 dns

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect dns migrated_dns_map_1

!

service-policy global_policy global

Thanks,

1 Reply 1

Ivan Martinon
Level 7
Level 7

Just a little thought, first turn on logging on the ASA to review what is it complaining about on this DNS packet. Second you can also increase the packet size allowed:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1025

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: