jjeffords
asked on
Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
Hey guys as i am sure i am not the only one from reading around and all. I am having trouble with my new server communicating with Earthlink due to their huge byte size of their MX records for their mailserver. The new DNS protocol will not work unless my firewall is capable of allowing byte sizes larger than 512 through.So i need the Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
I appreciate the time and effort !
Thanks in Advance
I appreciate the time and effort !
Thanks in Advance
ASKER
I am getting this when i put this in
no fixup protocol dns 53
bad protocol dns
Am i missing something?
no fixup protocol dns 53
bad protocol dns
Am i missing something?
ASKER
fixup protocol dns maximum-length 512
Is this what i need to be using or what?
Is this what i need to be using or what?
my bad. You don't need the "53" - it's the only entry that does not specify the port number...
IRDLABPIX> en
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
IRDLABPIX> en
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
ASKER
Now this is what i get
bad protocol dns
Usage: [no] fixup protocol <prot> [<option>] <port>[-<port>]
bad protocol dns
Usage: [no] fixup protocol <prot> [<option>] <port>[-<port>]
What version PIX OS are you running?
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software
Try "fixup protocol dns maximum-length 1024" <increase the size allowed>
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software
Try "fixup protocol dns maximum-length 1024" <increase the size allowed>
ASKER
PIX Version 6.2(2)
ASKER
Even when trying fixup protocol dns maximum-length 1024
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage: [no] fixup protocol <prot> [<option>] <port>[-<port>]
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage: [no] fixup protocol <prot> [<option>] <port>[-<port>]
Any chance that you can upgrade to 6.3 ?
ASKER
I am no cisco guy
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to lol
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to lol
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok so the command i use is
Pix# copy http://mydomain.org/filename.bin flash:
Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
Pix# copy http://mydomain.org/filename.bin flash:
Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
ASKER
Also if we arent hosting our own webserver locally here can i just use
copy \\servername/filename.bin flash:
Thanks
copy \\servername/filename.bin flash:
Thanks
ASKER
actually more like this is what i meant..
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
If you don't have a web server, you can use a laptop or something with IIS installed.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:
The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:
The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
ASKER
OK thanks alot
I will touch base with you when i am finished with the install
Thanks
I will touch base with you when i am finished with the install
Thanks
ASKER
Does it automatically reboot? Or do i need to reboot it
You have to manually reboot.
PIX#wri mem <== always save first
PIX#reload
PIX#wri mem <== always save first
PIX#reload
ASKER
Oops i rebooted before saving lol
So i use both before a reboot correct?
PIX#wri mem <== always save first
PIX#reload
So i use both before a reboot correct?
PIX#wri mem <== always save first
PIX#reload
It is always best to make sure the config is saved before rebooting.
the "reload" is a warm reboot.
the "reload" is a warm reboot.
ASKER
Thanks
brb
brb
ASKER
OK i did that and it is correct Went really smooth !
Now this is what i see on a sh config
fixup protocol dns maximum-length 512
I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
Now this is what i see on a sh config
fixup protocol dns maximum-length 512
I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
Best bet is to try it both ways.
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length a little at a time
640 - 768 - 1024
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length a little at a time
640 - 768 - 1024
no fixup protocol dns 53
"The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes."