Solved

Pix 515 - multiple dns udp connections

Posted on 2004-09-21
3
553 Views
Last Modified: 2010-04-09
I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connections are from root (or DNS) servers on the outside, to the private inside DNS server (running on a Netware box). This netware box only has a private IP - it is not natted through.

Now, I just added 2 forwarders on this inside Netware DNS server for 2 DNS servers on our ISPs network. But now I am sometimes seeing our ISP DNS server having multiple open UDP connections to this inside DNS server.

Example:
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -

I know DNS Guard is enabled by default, but it doesn't seem to be working.

1) Will these UDP connections eventually time out? I know that UDP is 2 minutes by default, but I read that DNS (port 53) doesn't necessarily follow this timeout.

2) What might be causing this?

This is a small, flat network with, maybe 200 users (no vlans).

Internet > Router > Pix > LAN

Also, the Pix is currently setup with both E0 and E1 ports going into a switch (as opposed to E0 into router, E1 into switch). This is due to a few workstations on the LAN that must have public IP addresses and cannot be natted. (any design suggestions are welcome).

Thank you very much.
0
Comment
Question by:pinger
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117873
If you have any way to do it, strongly suggest you enable 2 vlans on your switch. One for public ips and one for private ips. The way you have it now is causing your problems with the pix head seeing its tail on the same interface...I'm surprised it works at all.
Else get yourself another switch for the ouside PIX interface and the clients that can't be natt'd
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12120715
I agree... sounds like your memory is filling up because of that possible loop.
0
 
LVL 6

Accepted Solution

by:
fullerms earned 100 total points
ID: 12121196
Connect your PIX E0 interface directly to the router. From your public IP range, create a smaller segment according to your requirements. (for example if you have a /24 segment, create a /28 segment out of this and configure a route inside statement for this segment on your pix)

Create a seperate vlan for the PCs which need public IPs. If your LAN has a layer 3 switch, create a vlan interface for the public segment and use that as the gateway. If you dont have a layer3 switch, create a 802.1Q VLAN trunk on the PIX (upto eight VLANs can be created) and the switch, assign the gateway IP to the PIX

Do a static (inside,outside) or a acl nonat using the same IP for the hosts which need a public IP. This way, your public IP requirements are met without compromising on security.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 37
Vlan extend across 2 switches 16 26
VXLAN - same in VMWare NSX and Cisco Environments? 2 60
Install SSL certificate on Cisco ASA 5506 6 29
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question