Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX DNS

I am getting the following message after a new PIX 501 install. Why would DNS be denied going from a security 100 int to a security 0 int without modifications or adding deny entries.

Error: 710005: UDP request discarded from 192.168.2.15/1144 to inside:192.168.2.2/domain

4 REPLIES
Community Member

Re: PIX DNS

Is the subnet or host allowed out in nat/global?

Could be that DNS guard has seen a DNS return already for that host and has dropped this request? If DNS for that host appears to work and it can browse to the target it could be that. Bit of a stab in the dark to be honest because that shouldn't show as an error

Community Member

Re: PIX DNS

Hi K,

Could you give a breakdown of your network topology. The reason is it looks like the source and destination are on the same subnet (assuming you use 24 bit masks) and if so, depending on where these hosts is it might be a valid error (Spoofing in mind). Also, the message states that "from 192.168.2.15/1144 to inside:192.168.2.2/domain" with the emphasis on the word "inside" leaves me to think that you have a DNS server on the inside with address 192.168.2.2, where the error message is still correct if the packet wants to traverse from any interface with security level below 100 to the inside.

Hope this helps...

Cheers

JC

Community Member

Re: PIX DNS

I finally fixed this issue last night. It was because I was pointing to the PIX as my DNS server. I didn't relize that the PIX didn't have a DNS really function. Now I am having a problem allowing incoming traffic to my servers. That WAN interface is using the IP ADDRESS OUTSIDE DHCP SETROUTE COMMAND. I need to figure out the access-list and access-group functionality. Do I need a static command like STATIC (OUTSIDE, INSIDE) INTERFACE ACCESS-LIST INCOMING_ACL? I have the ACL's setup and then tied to a access-group. Any help is appreciated.

Community Member

Re: PIX DNS

First you really need a static ip address from your ISP. If you only have one address to use you would only want to map the port or ports that server is actually using. If it is only using http port 80, then the below command would work.

static (inside,outside) tcp interface 80 [local_ip] 80 netmask 255.255.255.255

102
Views
0
Helpful
4
Replies
CreatePlease to create content