Solved

Pix 515 - multiple dns udp connections

Posted on 2004-09-21
3
555 Views
Last Modified: 2010-04-09
I have recently installed a PIX 515, running 6.3 os. We have been having problems with the memory filling up and having to reboot the pix. I have narrowed it down to too many connections (show connection count = 45,000ish). When I looked at the details, most of the connections are from root (or DNS) servers on the outside, to the private inside DNS server (running on a Netware box). This netware box only has a private IP - it is not natted through.

Now, I just added 2 forwarders on this inside Netware DNS server for 2 DNS servers on our ISPs network. But now I am sometimes seeing our ISP DNS server having multiple open UDP connections to this inside DNS server.

Example:
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags d
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -
UDP outside:111.111.111.111/53 inside:192.168.1.10/53 flags -

I know DNS Guard is enabled by default, but it doesn't seem to be working.

1) Will these UDP connections eventually time out? I know that UDP is 2 minutes by default, but I read that DNS (port 53) doesn't necessarily follow this timeout.

2) What might be causing this?

This is a small, flat network with, maybe 200 users (no vlans).

Internet > Router > Pix > LAN

Also, the Pix is currently setup with both E0 and E1 ports going into a switch (as opposed to E0 into router, E1 into switch). This is due to a few workstations on the LAN that must have public IP addresses and cannot be natted. (any design suggestions are welcome).

Thank you very much.
0
Comment
Question by:pinger
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12117873
If you have any way to do it, strongly suggest you enable 2 vlans on your switch. One for public ips and one for private ips. The way you have it now is causing your problems with the pix head seeing its tail on the same interface...I'm surprised it works at all.
Else get yourself another switch for the ouside PIX interface and the clients that can't be natt'd
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12120715
I agree... sounds like your memory is filling up because of that possible loop.
0
 
LVL 6

Accepted Solution

by:
fullerms earned 100 total points
ID: 12121196
Connect your PIX E0 interface directly to the router. From your public IP range, create a smaller segment according to your requirements. (for example if you have a /24 segment, create a /28 segment out of this and configure a route inside statement for this segment on your pix)

Create a seperate vlan for the PCs which need public IPs. If your LAN has a layer 3 switch, create a vlan interface for the public segment and use that as the gateway. If you dont have a layer3 switch, create a 802.1Q VLAN trunk on the PIX (upto eight VLANs can be created) and the switch, assign the gateway IP to the PIX

Do a static (inside,outside) or a acl nonat using the same IP for the hosts which need a public IP. This way, your public IP requirements are met without compromising on security.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question