Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DNS for my DMZ

My DNS server is behind my Inside interface. I have a Webserver behind my DMZ interface that use's my internal DNS server. When I allow anything between on my DMZ interface (access-list dmz extended permit ip any any) it works fine. But when i allow only port 53(domain)i get this error on my sys log "Deny inbound UDP from 192.168.100.2/1428 to 192.168.10.10/53 do to DNS Query.

5 REPLIES
New Member

Re: DNS for my DMZ

If your DNS is MS reference KB#: KB828263

New Member

Re: DNS for my DMZ

Tried all the fixes and nothing worked. Still gives me same error in syslog.

New Member

Re: DNS for my DMZ

For Cisco PIX firewalls version 6.3(2) and later it is necessary to reconfigure the firewalls with:

fixup protocol dns maximum-length xxxx

replacing "xxxx" with whatever maximum DNS/UDP length one's resolving proxy DNS server software actually uses.

Silver

Re: DNS for my DMZ

Do you have a static setup for you inside to the dmz and access-list written for it?

static (inside,DMZ) 192.168.10.10 192.168.10.10

access-list dmz_in extended permit tcp any host 192.168.10.10 eq 53

If this helps, please rate. THX.

New Member

Re: DNS for my DMZ

Just read your DNS problem: Here is the thought Windows DNS uses both UDP and TCP port 53 for it request. So your access-list must permit TCP and UDP depends on Windows AD or not. If webserver is in the AD Domain both is needed for Kerberos

HTH

Bill

112
Views
0
Helpful
5
Replies
CreatePlease to create content