Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.

Hey guys as i am sure i am not the only one from reading around and all. I am having trouble with my new server communicating with Earthlink due to their huge byte size of their MX records for their mailserver. The new DNS protocol will not work unless my firewall is capable of allowing byte sizes larger than 512 through.So i need the Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
I appreciate the time and effort !
Thanks in Advance
0
jjeffords
Asked:
jjeffords
  • 14
  • 9
1 Solution
 
lrmooreCommented:
You can start with
  no fixup protocol dns 53

"The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes."
0
 
jjeffordsAuthor Commented:
I am getting this when i put this in
no fixup protocol dns 53
bad protocol dns

Am i missing something?
0
 
jjeffordsAuthor Commented:
fixup protocol dns maximum-length 512

Is this what i need to be using or what?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
my bad.  You don't need the "53" - it's the only entry that does not specify the port number...

IRDLABPIX> en  
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
0
 
jjeffordsAuthor Commented:
Now this is what i get

bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
lrmooreCommented:
What version PIX OS are you running?
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software

Try "fixup protocol dns maximum-length 1024"  <increase the size allowed>

0
 
jjeffordsAuthor Commented:
PIX Version 6.2(2)
0
 
jjeffordsAuthor Commented:
Even when trying fixup protocol dns maximum-length 1024
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
lrmooreCommented:
Any chance that you can upgrade to 6.3 ?
0
 
jjeffordsAuthor Commented:
I am no cisco guy
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to  lol
0
 
lrmooreCommented:
First, you need Cisco login/password to access the software. It would not be legal for us to pass it to you, nor is there any method of posting binary files on this site.

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Instructions are quite simple. If you have a web server, you can put the .bin image there and use http:
  pix#copy http://<web server/pix634.bin flash:

Once it completes, reboot and you're in business..


0
 
jjeffordsAuthor Commented:
ok so the command i use is
Pix# copy http://mydomain.org/filename.bin flash:

Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
0
 
jjeffordsAuthor Commented:
Also if we arent hosting our own webserver locally here can i just use
copy \\servername/filename.bin flash:
Thanks
0
 
jjeffordsAuthor Commented:
actually more like this is what i meant..
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
0
 
lrmooreCommented:
If you don't have a web server, you can use a laptop or something with IIS installed.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:

The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
0
 
jjeffordsAuthor Commented:
OK thanks alot
I will touch base with you when i am finished with the install
Thanks
0
 
jjeffordsAuthor Commented:
Does it automatically reboot? Or do i need to reboot it
0
 
lrmooreCommented:
You have to manually reboot.

PIX#wri mem  <== always save first

PIX#reload



0
 
jjeffordsAuthor Commented:
Oops i rebooted before saving  lol
So i use both before a reboot correct?

PIX#wri mem  <== always save first

PIX#reload
0
 
lrmooreCommented:
It is always best to make sure the config is saved before rebooting.
the "reload" is a warm reboot.
0
 
jjeffordsAuthor Commented:
Thanks
brb
0
 
jjeffordsAuthor Commented:
OK i did that and it is correct Went really smooth !
Now this is what i see on a sh config
fixup protocol dns maximum-length 512

I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
0
 
lrmooreCommented:
Best bet is to try it both ways.
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length  a little at a time
   640 - 768 - 1024


0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 14
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now