We help IT Professionals succeed at work.

DNS Problem on Adtran Netvanta 2100

acs49686
acs49686 asked
on
I have a 10 year old Netvanta 2100 (1st Generation) that still works great, but we can't meet PCI compliance because the unit does respond to DNS querries, which upsets the PCI Compliance people.
The Firewall is configured with static IP from ISP, and I am using the ISPs DNS server names.
I have tried to set an incoming rule to block incoming UDP port 53 traffic, but that doesn't help.

I need to continue to use DHCP on the firewall so I can't statically assign the local machine adapters.
Comment
Watch Question

Most Valuable Expert 2015
Commented:
Can you post your access-lists and policies?
Steve JenningsSr Manager Cloud Networking Ops
Commented:
As I recall, the Adtran ACLs seem towork "backward" from the Cisco ACLs I am used to. That said, are you saying that the UDP port 53 queries are still getting thru or that they are being blocked but that doesn't satisfy the PCI compliance people? Are you also blocking TCP 53?

Good luck,
SteveJ
Most Valuable Expert 2015

Commented:
They don't work backward -- same format.

Either create the access list and apply it to the interface or (at least with the firewall turned on), create the access-list, include it within the policy and apply the policy to the interface.
Steve JenningsSr Manager Cloud Networking Ops

Commented:
No . . .not the same format, perhaps backward was the wrong word choice. You create a "permit" list then apply that to a policy in which you "discard" or "allow" the "permitted" list. That's not Cisco.

acs49686,
Post the config with the public IPs removed if you think you might be having ACL issues.

Good luck,
SteveJ

Author

Commented:
The answer was that the PCI compliance people felt that because the firewall responded at all, it was a potential threat.  They want the firewall to be in stealth mode, which that rev did not support.  It will only respond with correct IPs for outside of the perimenter network, but the bufoons at PCI are weird and we had to replace the device.  On the other hand I get a nice firewall for home...