09-08-2003 09:48 AM - edited 03-09-2019 04:41 AM
I have opened both TCP/UDP port 53 inbound and outbound, but I'm seeing this error in the log:
Deny udp src outside:65.216.72.15/53 dst dmz1:192.x.x.x/1028 by access-group "acl_out"
What am I doing wrong? TIA!
09-08-2003 10:22 AM
Hard to say without seeing your config, but if it says that it is denied by acl_out, then acl_out is most likely bound to the outside interface and it does not permit the udp to the dns server.
Can you ost more detail, if possible.
Kind Regards,
Leo
09-08-2003 12:01 PM
Hi -
Looks like you've got a ACL problem, did you do command 'clear xlate' and command 'write memory' - If possible can you post your PIX config, remember to exclude sensitive info, like passwords and inside IPs.
Thanks - Jay
09-08-2003 12:38 PM
Here's the commands added for the DNS server. Most of the time DNS resolves fine, but sometimes it times out. Then the deny would show in the log. My guess is that when a DNS query is made, the DNS root (?) that was suppose to answer, timed out, so another server answer on behalf on the original root server (new connection is made). Deny tcp src outside:216.239.183.2/53 dst dmz1:192.168.2.1/1028 by access-group "acl_out"
Notice the source port and destination port.
static (dmz1,outside) 192.168.2.1 192.168.1.1 netmask 255.255.255.255
--outbound--
access-list acl_dmz1 permit udp host 192.168.1.1 any eq domain
access-list acl_dmz1 permit tcp host 192.168.1.1 any eq domain
--inbound--
access-list acl_out permit udp any host 192.168.2.1 eq domain
access-list acl_out permit tcp any host 192.168.2.1 eq domain
09-08-2003 01:44 PM
Are these the only two lines in acl_out?
(I don´t think so)
If the acl_out access-list contains another line (preceding these two lines) that denies the packet, then the packet is dropped, although these lines say it is permitted. ACL´s are processed at a first match base. So, check your whole acl_out access-list and see if there is a lines which denies ip or udp/tcp 53 traffic to 192.168.2.1
If there is, then rewrite your acl_out in a way that the lines which permits the traffic are preceding the deny rules, then it works.
This could be causing your problem.
Let us know if it is.
Kind Regards,
Leo
09-08-2003 02:52 PM
If it is coming in tcp/udp port 53, it's not being denied. Like I say, DNS resolves most of the time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide