Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1799
Views
0
Helpful
1
Replies

DNS Inspect invalid packet in ASA5520

VladKharinenkov
Level 1
Level 1

‎12-24-2007 12:45 AM - edited ‎03-05-2019 08:08 PM

At me a problem with ASA5520.

Clients do not receive answers from NS server.

If I execute a command packet-tracer input inside_240 udp 1.1.1.2 domain 10.0.100.202 54443

I receive

Result:

input-interface: inside_240

input-status: up

input-line-status: up

output-interface: inside_240

output-status: up

output-line-status: up

Action: drop

Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

If I execute a command packet-tracer input inside_240 tcp 1.1.1.2 domain 10.0.100.202 54443

I receive

Result:

input-interface: inside_240

input-status: up

input-line-status: up

output-interface: inside_240

output-status: up

output-line-status: up

Action: allow

The scheme of a network here: http://noc.awax.ru/asa.jpg

That is wrong in my configuration?

hostname asa

domain-name awax.ru

enable password xxx

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.x.x.66 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside_193

security-level 0

ip address 2.x.x.1 255.255.255.240

!

interface GigabitEthernet0/2

nameif inside_240

security-level 0

ip address 1.x.x.1 255.255.255.192

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif managment

security-level 100

ip address 10.10.10.7 255.255.255.0

!

passwd xxx

ftp mode passive

same-security-traffic permit intra-interface

same-security-traffic permit inter-interface

access-list faa extended permit ip any any

access-list nonat extended permit ip 1.1.1.0 255.255.255.192 10.0.0.0 255.0.0.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 1.1.1.0 255.255.255.192

pager lines 24

logging enable

logging console debugging

logging buffered debugging

logging debug-trace

mtu outside 1500

mtu inside_193 1500

mtu inside_240 1500

mtu managment 1500

ip local pool h0 10.0.0.0 mask 255.0.0.0

no failover

icmp permit any inside_240

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 100 2.2.2.50

global (outside) 200 1.1.1.50

nat (inside_193) 100 10.100.0.0 255.255.0.0

nat (inside_240) 0 access-list nonat

nat (inside_240) 200 10.0.0.0 255.255.0.0

route inside_240 10.0.0.0 255.0.0.0 1.1.1.11 1

route inside_193 10.100.0.0 255.255.0.0 1.1.1.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username mrtg password xxx

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

console timeout 0

!

Cryptochecksum:xxx

: end

1 person had this problem
Labels:
0 Helpful
1 Reply 1

lcorona76
Level 1
Level 1

‎12-20-2010 01:12 PM

Hello I have the same problem, the TCP packages are permiting and the UDP packages are droping. and I think is a problem and the Inspect-map but I don't sure.

Packet-tracer using packages UDP

Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

Packet-tracer using packages TCP

Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: internal
output-status: up
output-line-status: up
Action: allow

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card