Pix 515 - multiple dns udp connections

I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connections are from root (or DNS) servers on the outside, to the private inside DNS server (running on a Netware box). This netware box only has a private IP - it is not natted through.

Now, I just added 2 forwarders on this inside Netware DNS server for 2 DNS servers on our ISPs network. But now I am sometimes seeing our ISP DNS server having multiple open UDP connections to this inside DNS server.

Example:
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -

I know DNS Guard is enabled by default, but it doesn't seem to be working.

1) Will these UDP connections eventually time out? I know that UDP is 2 minutes by default, but I read that DNS (port 53) doesn't necessarily follow this timeout.

2) What might be causing this?

This is a small, flat network with, maybe 200 users (no vlans).

Internet > Router > Pix > LAN

Also, the Pix is currently setup with both E0 and E1 ports going into a switch (as opposed to E0 into router, E1 into switch). This is due to a few workstations on the LAN that must have public IP addresses and cannot be natted. (any design suggestions are welcome).

Thank you very much.
pingerAsked:
Who is Participating?
 
fullermsCommented:
Connect your PIX E0 interface directly to the router. From your public IP range, create a smaller segment according to your requirements. (for example if you have a /24 segment, create a /28 segment out of this and configure a route inside statement for this segment on your pix)

Create a seperate vlan for the PCs which need public IPs. If your LAN has a layer 3 switch, create a vlan interface for the public segment and use that as the gateway. If you dont have a layer3 switch, create a 802.1Q VLAN trunk on the PIX (upto eight VLANs can be created) and the switch, assign the gateway IP to the PIX

Do a static (inside,outside) or a acl nonat using the same IP for the hosts which need a public IP. This way, your public IP requirements are met without compromising on security.
0
 
lrmooreCommented:
If you have any way to do it, strongly suggest you enable 2 vlans on your switch. One for public ips and one for private ips. The way you have it now is causing your problems with the pix head seeing its tail on the same interface...I'm surprised it works at all.
Else get yourself another switch for the ouside PIX interface and the clients that can't be natt'd
0
 
LimeSMJCommented:
I agree... sounds like your memory is filling up because of that possible loop.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.