Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
4
Replies

PIX DNS

keithg
Level 1
Level 1

‎02-15-2006 06:17 PM - edited ‎02-21-2020 12:42 AM

I am getting the following message after a new PIX 501 install. Why would DNS be denied going from a security 100 int to a security 0 int without modifications or adding deny entries.

Error: 710005: UDP request discarded from 192.168.2.15/1144 to inside:192.168.2.2/domain

0 Helpful
4 Replies 4

ali-franks
Level 1
Level 1

‎02-16-2006 02:15 AM

Is the subnet or host allowed out in nat/global?

Could be that DNS guard has seen a DNS return already for that host and has dropped this request? If DNS for that host appears to work and it can browse to the target it could be that. Bit of a stab in the dark to be honest because that shouldn't show as an error

0 Helpful

jcockburn
Level 1
Level 1

‎02-16-2006 03:00 AM

Hi K,

Could you give a breakdown of your network topology. The reason is it looks like the source and destination are on the same subnet (assuming you use 24 bit masks) and if so, depending on where these hosts is it might be a valid error (Spoofing in mind). Also, the message states that "from 192.168.2.15/1144 to inside:192.168.2.2/domain" with the emphasis on the word "inside" leaves me to think that you have a DNS server on the inside with address 192.168.2.2, where the error message is still correct if the packet wants to traverse from any interface with security level below 100 to the inside.

Hope this helps...

Cheers

JC

0 Helpful

keithg
Level 1
Level 1
In response to jcockburn

‎02-16-2006 06:28 AM

I finally fixed this issue last night. It was because I was pointing to the PIX as my DNS server. I didn't relize that the PIX didn't have a DNS really function. Now I am having a problem allowing incoming traffic to my servers. That WAN interface is using the IP ADDRESS OUTSIDE DHCP SETROUTE COMMAND. I need to figure out the access-list and access-group functionality. Do I need a static command like STATIC (OUTSIDE, INSIDE) INTERFACE ACCESS-LIST INCOMING_ACL? I have the ACL's setup and then tied to a access-group. Any help is appreciated.

0 Helpful

steking
Level 1
Level 1
In response to keithg

‎03-03-2006 07:23 AM

First you really need a static ip address from your ISP. If you only have one address to use you would only want to map the port or ports that server is actually using. If it is only using http port 80, then the below command would work.

static (inside,outside) tcp interface 80 [local_ip] 80 netmask 255.255.255.255

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card