On Fri, 18 Feb 2000, Lisa Napier wrote:
> Hi John,
>
> That error message indicates that the PIX has seen this particular DNS
> query ANSWERED previously. Here is the link to the documentation for this
> error message.
Thanks so much, good to have a cisco person on the list.
> Are you sure this is in response to a zone transfer? I generally expect
> zone transfers via TCP, and sourced from port 53 (though not always), so
> your conduit should work fine. Have you checked your DNS server logs for
> additional clues on why the Zone transfers are failing?
The exact error message I get is:
Feb 16 13:50:19 209.10.40.50 Feb 16 2000 13:44:03: %PIX-2-106007: Deny
inbound UDP from 209.10.34.55/15661 to 10.60.2.110/2162 due to DNS
Response
Which I don't seem to understand why it's doing this. 209.10.34.55 is our
secondary at our hosting facility. 10.60.2.110 is our internal NAT
address for our nameserver.
> If the PIX is indeed responding with this error message to a zone transfer
> attempt, something is broken. I would recommend that you open a case with
> the Cisco Technical Assistance Center.
I'm considering it, but I bet it's a simple misconfiguration.
> And, yeah, they changed the keyword on the PIX to be more like router IOS,
> and used the domain keyword instead.
The PIX always looks like it's mid-conversion from PIX to an IOS, but then
again it's all a religious battle. Some people think the PIX should be
less like IOS because it's not a router. Same people complained when the
Catalysts started using IOS too. *shrug*
Thanks for the help.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
