?
Solved

Pix 515 - multiple dns udp connections

Posted on 2004-09-21
3
Medium Priority
?
562 Views
Last Modified: 2010-04-09
I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connections are from root (or DNS) servers on the outside, to the private inside DNS server (running on a Netware box). This netware box only has a private IP - it is not natted through.

Now, I just added 2 forwarders on this inside Netware DNS server for 2 DNS servers on our ISPs network. But now I am sometimes seeing our ISP DNS server having multiple open UDP connections to this inside DNS server.

Example:
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -

I know DNS Guard is enabled by default, but it doesn't seem to be working.

1) Will these UDP connections eventually time out? I know that UDP is 2 minutes by default, but I read that DNS (port 53) doesn't necessarily follow this timeout.

2) What might be causing this?

This is a small, flat network with, maybe 200 users (no vlans).

Internet > Router > Pix > LAN

Also, the Pix is currently setup with both E0 and E1 ports going into a switch (as opposed to E0 into router, E1 into switch). This is due to a few workstations on the LAN that must have public IP addresses and cannot be natted. (any design suggestions are welcome).

Thank you very much.
0
Comment
Question by:pinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117873
If you have any way to do it, strongly suggest you enable 2 vlans on your switch. One for public ips and one for private ips. The way you have it now is causing your problems with the pix head seeing its tail on the same interface...I'm surprised it works at all.
Else get yourself another switch for the ouside PIX interface and the clients that can't be natt'd
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12120715
I agree... sounds like your memory is filling up because of that possible loop.
0
 
LVL 6

Accepted Solution

by:
fullerms earned 300 total points
ID: 12121196
Connect your PIX E0 interface directly to the router. From your public IP range, create a smaller segment according to your requirements. (for example if you have a /24 segment, create a /28 segment out of this and configure a route inside statement for this segment on your pix)

Create a seperate vlan for the PCs which need public IPs. If your LAN has a layer 3 switch, create a vlan interface for the public segment and use that as the gateway. If you dont have a layer3 switch, create a 802.1Q VLAN trunk on the PIX (upto eight VLANs can be created) and the switch, assign the gateway IP to the PIX

Do a static (inside,outside) or a acl nonat using the same IP for the hosts which need a public IP. This way, your public IP requirements are met without compromising on security.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question