I have the following set up (as per diagram) and wheni try to issue nslookup command for the webserver from the linux box in vlan 40 (212.xx.xx.xx/29) i get a response from the outside interface of Ralph rather than the dns server 3.45 in Vlan 1. the resolv.conf in linux has the correct nameserver to query so thats ok but when i run the packet tracer, from the dms interface (connect to vlan 40) to the inside interface (vlan1) although the packet gets through it is then dropped with the following message:
(inspect-dns-invalid-pak) DNS Inspect invalid packet. Any ideas? Also, looks like it has something to do with the Service Policy rules, can someone explain what this is?
Maybe you can change the length in the default inspection on the firewall from 512 to something higher.
You could also check the capture command (or a packet sniffer) to see exactly what kind of DNS request is being generated.
This is the description of this error from Cisco:
DNS Inspect invalid packet
This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
System log messages: None. "
This can be seen by the 'show asp drop' command (which is also checked by the packet-tracer).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...