Re: Cisco PIX and Zone Transfers?

Fri, 18 Feb 2000 16:07:04 -0800 

Hi John,

That error message indicates that the PIX has seen this particular DNS 
query ANSWERED previously.  Here is the link to the documentation for this 
error message.

http://cco.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pix55em/pi 
xemsgs.htm#xtocid169222

Are you sure this is in response to a zone transfer?  I generally expect 
zone transfers via TCP, and sourced from port 53 (though not always), so 
your conduit should work fine.  Have you checked your DNS server logs for 
additional clues on why the Zone transfers are failing?

If the PIX is indeed responding with this error message to a zone transfer 
attempt, something is broken.  I would recommend that you open a case with 
the Cisco Technical Assistance Center.

And, yeah, they changed the keyword on the PIX to be more like router IOS, 
and used the domain keyword instead.

Hope that helps,

Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml

At 08:25 AM 02/18/2000 -0500, John Adams wrote:

>Does anyone know what conduit statement to give to the PIX to permit zone
>transfers?
>
>Currently, we have:
>
>   conduit permit tcp host xxx.xxx.40.60 eq domain any
>   conduit permit udp host xxx.xxx.40.60 eq domain any
>
>Which should let anyone get to our nameservers, yet the pix keeps
>returning in it's logs:
>
>Feb 15 13:06:58 yyy.yyy.yyy.yyy Feb 15 2000 13:00:44: %PIX-2-106007: Deny
>inbound UDP from 63.71.190.10/10805 to zz.zz.2.110/53 due to DNS Query
>
>zz.zz.2.110 is our internal, NAT translated machine running our dns
>server.
>
>It's dumb too! because in version 4, you could do a conduit dns and
>everything would be fine. now it's called 'domain'. Argh. Lame.I'm not
>stupid and I do know what ports DNS is on but the PIX seems to handle it
>strangely.
>
>We also have TCP fixup on; maybe that's breaking it?
>
>Thanks in advance.
>
>-john
>
>(ignore all of the yyy's and zz's. I don't want to give you my addresses.
>  Nyahh!)
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to