02-15-2006 06:17 PM - edited 02-21-2020 12:42 AM
I am getting the following message after a new PIX 501 install. Why would DNS be denied going from a security 100 int to a security 0 int without modifications or adding deny entries.
Error: 710005: UDP request discarded from 192.168.2.15/1144 to inside:192.168.2.2/domain
02-16-2006 02:15 AM
Is the subnet or host allowed out in nat/global?
Could be that DNS guard has seen a DNS return already for that host and has dropped this request? If DNS for that host appears to work and it can browse to the target it could be that. Bit of a stab in the dark to be honest because that shouldn't show as an error
02-16-2006 03:00 AM
Hi K,
Could you give a breakdown of your network topology. The reason is it looks like the source and destination are on the same subnet (assuming you use 24 bit masks) and if so, depending on where these hosts is it might be a valid error (Spoofing in mind). Also, the message states that "from 192.168.2.15/1144 to inside:192.168.2.2/domain" with the emphasis on the word "inside" leaves me to think that you have a DNS server on the inside with address 192.168.2.2, where the error message is still correct if the packet wants to traverse from any interface with security level below 100 to the inside.
Hope this helps...
Cheers
JC
02-16-2006 06:28 AM
I finally fixed this issue last night. It was because I was pointing to the PIX as my DNS server. I didn't relize that the PIX didn't have a DNS really function. Now I am having a problem allowing incoming traffic to my servers. That WAN interface is using the IP ADDRESS OUTSIDE DHCP SETROUTE COMMAND. I need to figure out the access-list and access-group functionality. Do I need a static command like STATIC (OUTSIDE, INSIDE) INTERFACE ACCESS-LIST INCOMING_ACL? I have the ACL's setup and then tied to a access-group. Any help is appreciated.
03-03-2006 07:23 AM
First you really need a static ip address from your ISP. If you only have one address to use you would only want to map the port or ports that server is actually using. If it is only using http port 80, then the below command would work.
static (inside,outside) tcp interface 80 [local_ip] 80 netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: