Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny inbound UDP from x.x.x.x/137 to x.x.x.x/137 after Pix upgrading


I just upgrad my Pix from IOS 6.3(4) to 7.0(6). After that my Cisco VPN client cannot make a DNS resolution. The ASDM syslog message display the following message "Deny inbound UDP from (138) to (138) on interface inside.

I need help please.

See config file attached

Cisco Employee

Re: Deny inbound UDP from x.x.x.x/137 to x.x.x.x/137 after Pix u

Where is your client and where is the DNS server? I'll presume the client is on the inside and the DNS server is on the outside, in which case you haven't allowed that traffic out via your inside_acl access-list. If the server is on the DMZ then your ACL should be OK to allow the DNS requests through.

The syslog you show is not related to the DNS failures, it is just appearing because the PIX is seeing Netbios broadcasts ( from your inside hosts, and the inside ACL is blocking them. You will continue to see these constantly.

The new code may be dropping the DNS packets because of the inspection engine checking. If you do "sho service-policy" you will see how many packets are matching the DNS inspection engine, and more importantly, how many packets are being dropped by it. If this counter is increasing you can remove the "inspect dns" command from the global policy-map (look near the bottom of your config).

New Member

Re: Deny inbound UDP from x.x.x.x/137 to x.x.x.x/137 after Pix u

Thank you.


CreatePlease login to create content