10-02-2006 07:46 AM - edited 02-21-2020 01:12 AM
Hi
I just upgrad my Pix from IOS 6.3(4) to 7.0(6). After that my Cisco VPN client cannot make a DNS resolution. The ASDM syslog message display the following message "Deny inbound UDP from 10.200.200.1/137 (138) to 10.255.255.255/137 (138) on interface inside.
I need help please.
See config file attached
10-02-2006 05:31 PM
Where is your client and where is the DNS server? I'll presume the client is on the inside and the DNS server is on the outside, in which case you haven't allowed that traffic out via your inside_acl access-list. If the server is on the DMZ then your ACL should be OK to allow the DNS requests through.
The syslog you show is not related to the DNS failures, it is just appearing because the PIX is seeing Netbios broadcasts (10.255.255.255/137) from your inside hosts, and the inside ACL is blocking them. You will continue to see these constantly.
The new code may be dropping the DNS packets because of the inspection engine checking. If you do "sho service-policy" you will see how many packets are matching the DNS inspection engine, and more importantly, how many packets are being dropped by it. If this counter is increasing you can remove the "inspect dns" command from the global policy-map (look near the bottom of your config).
10-03-2006 03:28 AM
Thank you.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: