Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.

Posted on 2004-10-14
23
Medium Priority
?
352 Views
Last Modified: 2013-11-16
Hey guys as i am sure i am not the only one from reading around and all. I am having trouble with my new server communicating with Earthlink due to their huge byte size of their MX records for their mailserver. The new DNS protocol will not work unless my firewall is capable of allowing byte sizes larger than 512 through.So i need the Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
I appreciate the time and effort !
Thanks in Advance
0
Comment
Question by:jjeffords
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
23 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12312852
You can start with
  no fixup protocol dns 53

"The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes."
0
 

Author Comment

by:jjeffords
ID: 12320816
I am getting this when i put this in
no fixup protocol dns 53
bad protocol dns

Am i missing something?
0
 

Author Comment

by:jjeffords
ID: 12320836
fixup protocol dns maximum-length 512

Is this what i need to be using or what?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12320858
my bad.  You don't need the "53" - it's the only entry that does not specify the port number...

IRDLABPIX> en  
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
0
 

Author Comment

by:jjeffords
ID: 12320887
Now this is what i get

bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321656
What version PIX OS are you running?
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software

Try "fixup protocol dns maximum-length 1024"  <increase the size allowed>

0
 

Author Comment

by:jjeffords
ID: 12321764
PIX Version 6.2(2)
0
 

Author Comment

by:jjeffords
ID: 12321822
Even when trying fixup protocol dns maximum-length 1024
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321967
Any chance that you can upgrade to 6.3 ?
0
 

Author Comment

by:jjeffords
ID: 12322115
I am no cisco guy
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to  lol
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12324282
First, you need Cisco login/password to access the software. It would not be legal for us to pass it to you, nor is there any method of posting binary files on this site.

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Instructions are quite simple. If you have a web server, you can put the .bin image there and use http:
  pix#copy http://<web server/pix634.bin flash:

Once it completes, reboot and you're in business..


0
 

Author Comment

by:jjeffords
ID: 12337696
ok so the command i use is
Pix# copy http://mydomain.org/filename.bin flash:

Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
0
 

Author Comment

by:jjeffords
ID: 12337717
Also if we arent hosting our own webserver locally here can i just use
copy \\servername/filename.bin flash:
Thanks
0
 

Author Comment

by:jjeffords
ID: 12337869
actually more like this is what i meant..
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12337903
If you don't have a web server, you can use a laptop or something with IIS installed.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:

The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
0
 

Author Comment

by:jjeffords
ID: 12337930
OK thanks alot
I will touch base with you when i am finished with the install
Thanks
0
 

Author Comment

by:jjeffords
ID: 12338037
Does it automatically reboot? Or do i need to reboot it
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338062
You have to manually reboot.

PIX#wri mem  <== always save first

PIX#reload



0
 

Author Comment

by:jjeffords
ID: 12338096
Oops i rebooted before saving  lol
So i use both before a reboot correct?

PIX#wri mem  <== always save first

PIX#reload
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338194
It is always best to make sure the config is saved before rebooting.
the "reload" is a warm reboot.
0
 

Author Comment

by:jjeffords
ID: 12338208
Thanks
brb
0
 

Author Comment

by:jjeffords
ID: 12338305
OK i did that and it is correct Went really smooth !
Now this is what i see on a sh config
fixup protocol dns maximum-length 512

I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338397
Best bet is to try it both ways.
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length  a little at a time
   640 - 768 - 1024


0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question