Solved

Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.

Posted on 2004-10-14
23
341 Views
Last Modified: 2013-11-16
Hey guys as i am sure i am not the only one from reading around and all. I am having trouble with my new server communicating with Earthlink due to their huge byte size of their MX records for their mailserver. The new DNS protocol will not work unless my firewall is capable of allowing byte sizes larger than 512 through.So i need the Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
I appreciate the time and effort !
Thanks in Advance
0
Comment
Question by:jjeffords
  • 14
  • 9
23 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12312852
You can start with
  no fixup protocol dns 53

"The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes."
0
 

Author Comment

by:jjeffords
ID: 12320816
I am getting this when i put this in
no fixup protocol dns 53
bad protocol dns

Am i missing something?
0
 

Author Comment

by:jjeffords
ID: 12320836
fixup protocol dns maximum-length 512

Is this what i need to be using or what?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12320858
my bad.  You don't need the "53" - it's the only entry that does not specify the port number...

IRDLABPIX> en  
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
0
 

Author Comment

by:jjeffords
ID: 12320887
Now this is what i get

bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321656
What version PIX OS are you running?
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software

Try "fixup protocol dns maximum-length 1024"  <increase the size allowed>

0
 

Author Comment

by:jjeffords
ID: 12321764
PIX Version 6.2(2)
0
 

Author Comment

by:jjeffords
ID: 12321822
Even when trying fixup protocol dns maximum-length 1024
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321967
Any chance that you can upgrade to 6.3 ?
0
 

Author Comment

by:jjeffords
ID: 12322115
I am no cisco guy
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to  lol
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12324282
First, you need Cisco login/password to access the software. It would not be legal for us to pass it to you, nor is there any method of posting binary files on this site.

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Instructions are quite simple. If you have a web server, you can put the .bin image there and use http:
  pix#copy http://<web server/pix634.bin flash:

Once it completes, reboot and you're in business..


0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jjeffords
ID: 12337696
ok so the command i use is
Pix# copy http://mydomain.org/filename.bin flash:

Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
0
 

Author Comment

by:jjeffords
ID: 12337717
Also if we arent hosting our own webserver locally here can i just use
copy \\servername/filename.bin flash:
Thanks
0
 

Author Comment

by:jjeffords
ID: 12337869
actually more like this is what i meant..
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12337903
If you don't have a web server, you can use a laptop or something with IIS installed.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:

The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
0
 

Author Comment

by:jjeffords
ID: 12337930
OK thanks alot
I will touch base with you when i am finished with the install
Thanks
0
 

Author Comment

by:jjeffords
ID: 12338037
Does it automatically reboot? Or do i need to reboot it
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338062
You have to manually reboot.

PIX#wri mem  <== always save first

PIX#reload



0
 

Author Comment

by:jjeffords
ID: 12338096
Oops i rebooted before saving  lol
So i use both before a reboot correct?

PIX#wri mem  <== always save first

PIX#reload
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338194
It is always best to make sure the config is saved before rebooting.
the "reload" is a warm reboot.
0
 

Author Comment

by:jjeffords
ID: 12338208
Thanks
brb
0
 

Author Comment

by:jjeffords
ID: 12338305
OK i did that and it is correct Went really smooth !
Now this is what i see on a sh config
fixup protocol dns maximum-length 512

I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338397
Best bet is to try it both ways.
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length  a little at a time
   640 - 768 - 1024


0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now