cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2236
Views
0
Helpful
2
Replies

Deny inbound UDP from x.x.x.x/137 to x.x.x.x/137 after Pix upgrading

fmemevegny
Level 1
Level 1

Hi

I just upgrad my Pix from IOS 6.3(4) to 7.0(6). After that my Cisco VPN client cannot make a DNS resolution. The ASDM syslog message display the following message "Deny inbound UDP from 10.200.200.1/137 (138) to 10.255.255.255/137 (138) on interface inside.

I need help please.

See config file attached

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Where is your client and where is the DNS server? I'll presume the client is on the inside and the DNS server is on the outside, in which case you haven't allowed that traffic out via your inside_acl access-list. If the server is on the DMZ then your ACL should be OK to allow the DNS requests through.

The syslog you show is not related to the DNS failures, it is just appearing because the PIX is seeing Netbios broadcasts (10.255.255.255/137) from your inside hosts, and the inside ACL is blocking them. You will continue to see these constantly.

The new code may be dropping the DNS packets because of the inspection engine checking. If you do "sho service-policy" you will see how many packets are matching the DNS inspection engine, and more importantly, how many packets are being dropped by it. If this counter is increasing you can remove the "inspect dns" command from the global policy-map (look near the bottom of your config).

Thank you.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: