Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6.2 to 6.3 upgrade problem

I am trying to upgrade my 515 to 6.3 but I have an issue that I cannot figure.

I have 2 internal servers (web & email) that have static mappings to the outside, and both also serve as DNS servers for my inside network. Presently with 6.2 they work perfectly, but when I apply the config to 6.3, they stop being able to do DNS lookups to my upstream DNS servers at the ISP. The syslog shows that it creates a mapping for the lookup and then it destroys it, but I always get a timeout on my lookup. It looks like the request is sent from the Natted address if the DNS server, but my access list doesn't permit dns-replies inward only https and smtp.

access-list acl-business01 permit tcp host 166.110.3.8 any eq smtp

access-list acl-business01 permit tcp host 166.110.3.8 any eq domain

...

access-list acl-outside01 permit tcp any host 206.47.180.235 eq smtp

access-list acl-outside01 permit tcp any host 206.47.180.235 eq https

...

static (inside,outside) 206.47.180.235 166.110.3.8 netmask 255.255.255.255 0 4096

I have read about this new Policy NAT in 6.3 ,but can't see how to fix the problem, except to open up the inbound ports on the NAT'd addresses.

Any assistance would be appreciated.

2 REPLIES
New Member

Re: 6.2 to 6.3 upgrade problem

I see you have an outbound tcp 53 for DNS, but do you also have a udp 53 for DNS? TCP 53 is used for zone transfers and large DNS queries.

New Member

Re: 6.2 to 6.3 upgrade problem

The difference between 6.2 and 6.3 is "fixup protocol dns" command. The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes. Try to increase DNS packet length or even switch the DNS fixup off -- just to see if the problem is fixed.

Command format:

[no] fixup protocol dns [maximum-length <512-65535>]

99
Views
0
Helpful
2
Replies
CreatePlease login to create content