Solved

Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.

Posted on 2004-10-14
23
345 Views
Last Modified: 2013-11-16
Hey guys as i am sure i am not the only one from reading around and all. I am having trouble with my new server communicating with Earthlink due to their huge byte size of their MX records for their mailserver. The new DNS protocol will not work unless my firewall is capable of allowing byte sizes larger than 512 through.So i need the Command to enter into a Pix 506 to allow DNS packets in excess of 512 bytes through.
I appreciate the time and effort !
Thanks in Advance
0
Comment
Question by:jjeffords
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
23 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12312852
You can start with
  no fixup protocol dns 53

"The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum length. The default value is 512 bytes."
0
 

Author Comment

by:jjeffords
ID: 12320816
I am getting this when i put this in
no fixup protocol dns 53
bad protocol dns

Am i missing something?
0
 

Author Comment

by:jjeffords
ID: 12320836
fixup protocol dns maximum-length 512

Is this what i need to be using or what?
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12320858
my bad.  You don't need the "53" - it's the only entry that does not specify the port number...

IRDLABPIX> en  
Password: *****
IRDLABPIX# conf t
IRDLABPIX(config)# no fixup protocol dns
IRDLABPIX(config)#
0
 

Author Comment

by:jjeffords
ID: 12320887
Now this is what i get

bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321656
What version PIX OS are you running?
>This feature is added to the fixup protocol command in the PIX Firewall Version 6.3(2) software

Try "fixup protocol dns maximum-length 1024"  <increase the size allowed>

0
 

Author Comment

by:jjeffords
ID: 12321764
PIX Version 6.2(2)
0
 

Author Comment

by:jjeffords
ID: 12321822
Even when trying fixup protocol dns maximum-length 1024
I am getting this error
pixfirewall> en
Password: ***********
pixfirewall# config t
pixfirewall(config)# fixup protocol dns maximum length 1024
bad protocol dns
Usage:  [no] fixup protocol <prot> [<option>] <port>[-<port>]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12321967
Any chance that you can upgrade to 6.3 ?
0
 

Author Comment

by:jjeffords
ID: 12322115
I am no cisco guy
I am a sys admin lol
Never had to upgrade a pix
You tell me how and ill be glad to  lol
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12324282
First, you need Cisco login/password to access the software. It would not be legal for us to pass it to you, nor is there any method of posting binary files on this site.

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Instructions are quite simple. If you have a web server, you can put the .bin image there and use http:
  pix#copy http://<web server/pix634.bin flash:

Once it completes, reboot and you're in business..


0
 

Author Comment

by:jjeffords
ID: 12337696
ok so the command i use is
Pix# copy http://mydomain.org/filename.bin flash:

Oh i have a password and all.
No need for the files.
The networking guy here quit with no notice and i am kinda trying to pick up his slack where he left off.
Just dont have any cisco experience
Thanks in advance
0
 

Author Comment

by:jjeffords
ID: 12337717
Also if we arent hosting our own webserver locally here can i just use
copy \\servername/filename.bin flash:
Thanks
0
 

Author Comment

by:jjeffords
ID: 12337869
actually more like this is what i meant..
pix#copy \\fileserver/pix634.bin flash:
Other thing. How long does it take cause we are a hospital and cant afford alot of downtime.So i need to plan accordingly
Thanks
pix#copy \\fileserver/pix634.bin flash:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12337903
If you don't have a web server, you can use a laptop or something with IIS installed.
You only have two choices - http or tftp so you will need one of thse servers. You can download free tftp servers off the net. I like Pumpkin from http://www.klever.net
so you have to use:
PIX#copy tftp://<ipaddress>/pix634.bin flash:

The copy will take about 1 minute, after it completes, a reboot will take about 1 minute. The only downtime is during the reboot.
0
 

Author Comment

by:jjeffords
ID: 12337930
OK thanks alot
I will touch base with you when i am finished with the install
Thanks
0
 

Author Comment

by:jjeffords
ID: 12338037
Does it automatically reboot? Or do i need to reboot it
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338062
You have to manually reboot.

PIX#wri mem  <== always save first

PIX#reload



0
 

Author Comment

by:jjeffords
ID: 12338096
Oops i rebooted before saving  lol
So i use both before a reboot correct?

PIX#wri mem  <== always save first

PIX#reload
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338194
It is always best to make sure the config is saved before rebooting.
the "reload" is a warm reboot.
0
 

Author Comment

by:jjeffords
ID: 12338208
Thanks
brb
0
 

Author Comment

by:jjeffords
ID: 12338305
OK i did that and it is correct Went really smooth !
Now this is what i see on a sh config
fixup protocol dns maximum-length 512

I put in the config t
no fixup protocol dns
wri mem and then when i pull a config the fixup protocol dns maximum-length 512 is gone.
Do you recommend not having a fixup protocol at all or should i just up the size and keep the protocol active.
My only problem is i dont know what the size of the MX record for Earthlink is.
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12338397
Best bet is to try it both ways.
First preference would be to change the max-length, but keep the fixup on
Try incrementing the max-length  a little at a time
   640 - 768 - 1024


0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA VPN Client Routing 8 79
snmp v2 configuration on a switch 3 62
Cisco IOS upgrade c3560_backup and deletion of drwx 7 85
Layer 3 switch recommendation 15 98
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question