Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hairpinning DMZ DNS traffic

Original post is here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe7b88

I have configured hairpinning on our DMZ2 interface and it appears to be working for all traffic except DNS requests. When I to a packet-tracer on it I get the following error message:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I removed DNS inspection from the default inspection maps and policies but I still get the error. Here's the setup:

Pix 515e running 8.02 in failover.

E-mail server on DMZ2 10.0.x.12 NAT to outside address x.y.z.12

DNS server on DMZ2 10.0.x.252 NAT to outside address x.y.z.252

The e-mail server x.12 is pointing to root domain authority which replies with the DNS server x.252 as the NS for the domain it's trying to send mail to. So it tries to query the DNS server but fails with the error listed above.

Hairpinning config:

static (DMZ2,DMZ2) x.y.z.12 10.0.x.12 netmask 255.255.255.255

static (DMZ2,DMZ2) x.y.z.252 10.0.x.252 netmask 255.255.255.255

access-list DMZ2_access_in extended permit udp any any eq domain

Thanks for any and all assistance!

1 REPLY
Silver

Re: Hairpinning DMZ DNS traffic

I think the reason may be in internal DNS server due to misconfiguration check that one( clear the internal arp cache on edge router for DNS work and then try again) and also verify the ACL.

176
Views
0
Helpful
1
Replies