Could be that DNS guard has seen a DNS return already for that host and has dropped this request? If DNS for that host appears to work and it can browse to the target it could be that. Bit of a stab in the dark to be honest because that shouldn't show as an error
Could you give a breakdown of your network topology. The reason is it looks like the source and destination are on the same subnet (assuming you use 24 bit masks) and if so, depending on where these hosts is it might be a valid error (Spoofing in mind). Also, the message states that "from 192.168.2.15/1144 to inside:192.168.2.2/domain" with the emphasis on the word "inside" leaves me to think that you have a DNS server on the inside with address 192.168.2.2, where the error message is still correct if the packet wants to traverse from any interface with security level below 100 to the inside.
I finally fixed this issue last night. It was because I was pointing to the PIX as my DNS server. I didn't relize that the PIX didn't have a DNS really function. Now I am having a problem allowing incoming traffic to my servers. That WAN interface is using the IP ADDRESS OUTSIDE DHCP SETROUTE COMMAND. I need to figure out the access-list and access-group functionality. Do I need a static command like STATIC (OUTSIDE, INSIDE) INTERFACE ACCESS-LIST INCOMING_ACL? I have the ACL's setup and then tied to a access-group. Any help is appreciated.
First you really need a static ip address from your ISP. If you only have one address to use you would only want to map the port or ports that server is actually using. If it is only using http port 80, then the below command would work.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...