Solved

Pix 515 - multiple dns udp connections

Posted on 2004-09-21
3
547 Views
Last Modified: 2010-04-09
I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connections are from root (or DNS) servers on the outside, to the private inside DNS server (running on a Netware box). This netware box only has a private IP - it is not natted through.

Now, I just added 2 forwarders on this inside Netware DNS server for 2 DNS servers on our ISPs network. But now I am sometimes seeing our ISP DNS server having multiple open UDP connections to this inside DNS server.

Example:
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -

I know DNS Guard is enabled by default, but it doesn't seem to be working.

1) Will these UDP connections eventually time out? I know that UDP is 2 minutes by default, but I read that DNS (port 53) doesn't necessarily follow this timeout.

2) What might be causing this?

This is a small, flat network with, maybe 200 users (no vlans).

Internet > Router > Pix > LAN

Also, the Pix is currently setup with both E0 and E1 ports going into a switch (as opposed to E0 into router, E1 into switch). This is due to a few workstations on the LAN that must have public IP addresses and cannot be natted. (any design suggestions are welcome).

Thank you very much.
0
Comment
Question by:pinger
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you have any way to do it, strongly suggest you enable 2 vlans on your switch. One for public ips and one for private ips. The way you have it now is causing your problems with the pix head seeing its tail on the same interface...I'm surprised it works at all.
Else get yourself another switch for the ouside PIX interface and the clients that can't be natt'd
0
 
LVL 7

Expert Comment

by:LimeSMJ
Comment Utility
I agree... sounds like your memory is filling up because of that possible loop.
0
 
LVL 6

Accepted Solution

by:
fullerms earned 100 total points
Comment Utility
Connect your PIX E0 interface directly to the router. From your public IP range, create a smaller segment according to your requirements. (for example if you have a /24 segment, create a /28 segment out of this and configure a route inside statement for this segment on your pix)

Create a seperate vlan for the PCs which need public IPs. If your LAN has a layer 3 switch, create a vlan interface for the public segment and use that as the gateway. If you dont have a layer3 switch, create a 802.1Q VLAN trunk on the PIX (upto eight VLANs can be created) and the switch, assign the gateway IP to the PIX

Do a static (inside,outside) or a acl nonat using the same IP for the hosts which need a public IP. This way, your public IP requirements are met without compromising on security.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now