I have two internal DNS servers on my LAN that all the hosts use. Both DNS servers use forwarding to Internet DNS servers that resolve Internet requests. I have statics for both of my internal DNS servers. I have an outbound access-list that blocks all DNS queries except for the queries from my Internal DNS servers to the DNS servers on the forwarders list. I see a lot of syslog messages generated by denies from my Internal DNS servers to Internet DNS servers that are not on the forwarders tab. 2 questions:
1. Will an excessive amount of syslog (35 K messages per day vs 10 K messages per day) messaging slow down traffic through the firewall? Or as long as CPU and mem do not increase, it should not be severely affected?
2. I do not have an inbound access-list allowing return DNS answers from Internet DNS servers to my internal DNS servers. But DNS resolution works fine for my LAN hosts. Is this a correct setup? As long as you have a static, you do not need inbound access-lists because the DNS query was initiated from the inside?
1. Should be OK, but you'll need to monitor it. Excessive syslogging can certainly cause the PIX to slow down, so depending on how much real traffic you're pushing thru it, in addition to having it generate 35K packets each day, you'll need to keep a close eye on it. CPU and blocks available will be a good resource to tell you how the PIX is performing.
2. The PIX automatically allows return traffic in, so if the DNS traffic originates from the inside and goes out, the reply will automatically be allowed back in, you don't need to specifically allow it with an ACL. This is the same for any traffic in any direction, the reply is always allowed back.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...