Is this a problem with the DNS fixup? I have a new PIX 501 that I have in place on my home network - Its attached to Verizon FiOS via PPPoE. DNS queries from PCs on the network work perfectly, however, the DNS queries initiated by the Verizon CATV Set-Top boxes do not traverse the firewall.
While sniffing inside the PIX, I see the "Standard Query" sent to the proper DNS servers, but no 'Response'. When I sniff outside the PIX, I see *no* Requests nor answers at all. Therefore, the request is not being sent thru the PIX on the way out to the Internet.
Further testing shows that I can put the IP from the Set Top box on my laptop, and I can surf the Internet & DNS queries just fine - this shows that NAT is set up properly.
My Inside and Outside ACLs all say 'permit ip any any', and 'permit icmp any any'.
The ultimate control test - I can take the PIX out of the network, and substitute a simple 3COM SOHO router, and the DNS queries work just fine, and the Set Top box works fine.
What is it about the PIX that would cause some queries to traverse, and other to not traverse? --No permit/deny/errors are logged on syslog when the DNS fails to traverse.
I fixed the problem myself. Even tho my sniffer was seeing DNS Requests, I was getting no entries under Xlate, or 'conn' on the firewall. I then sniffed the DHCP packet going to the set-top box, and found that it was receiving the wrong default gateway (this is why the PIX, as the gateway, never saw the traffic). Remember that this is a set-top-box, with no interface for me to see what the configured DNS, or GWs are.
Once I corrected that problem, the set-top box reached thru the PIX & got its proper DNS info. It appeared in XLate and conn too.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...