Network technologies and trends » Cisco ASA

DNS Queries in Windows 2008 R2 Server fails – Part 2

Yasir Irfan — Mon, 25 Apr 2011 05:10:28 +0000

In my previous post I was talking about the DNS query problem we were facing with Windows 2008 R2 server. The solution is quite simple. Immediately I started monitoring the logs in the Cisco PIX 525 firewall using ADSM and syslog. I figured out the DNS queries were replied back from the ISP but were dropped by the Cisco PIX 525 Firewall.

%PIX-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to

inside:y.y.y.y/49746; packet length 768 bytes exceeds configured limit of 512

I was wondering what might be the reason, then figured out the packets received from ISP is of 768 bytes whereas by default the Cisco PIX 525 Firewall allows 512 bytes as shown below.

The problem was with the default DNS inspection policy-map. By default in Cisco PIX 525, Cisco ASA it’s configured to 512 bytes

The moment I changed the default DNS inspection policy-map from 512 bytes to 1000 bytes things were normal the Windows 2008 R2 Server was resolving the DNS queries.

The commands I used to change the default DNS inspection policy-map is as follows.

MBGF-DAC-525-FW01# configure t

MBGF-DAC-525-FW01(config)# class-map inspection_default

MBGF-DAC-525-FW01(config-cmap)# match default-inspection-traffic

MBGF-DAC-525-FW01(config-cmap)# policy-map global_policy

MBGF-DAC-525-FW01(config-pmap)# class inspection_default

MBGF-DAC-525-FW01(config-pmap-c)# inspect dns maximum-length 1000

MBGF-DAC-525-FW01(config-pmap-c)#

Do you know Apple iPhone Supports Cisco VPN Client?

Yasir Irfan — Sun, 22 Nov 2009 12:13:30 +0000

Do you know iPhone supports the Cisco VPN Client?, yes both the iPhone Software versions 2.x and 3.x supports L2TP, PPTP and IPsec type of remote access VPN connectivity. The IPSec option is actually Cisco VPN client software for communicating securely with Cisco ASA and PIX firewall.

According to Cisco only ASA and PIX firewall supports the iPhone Remote Access VPN, where as the Cisco IOS routers and bit older VPN 3000 concentrators will not support the iPhone VPN features.

By using this feature mobile workers can connect remotely to their Enterprise network via secure VPN tunnel using their iPhone. Both the Wi-Fi and Mobile Data Networks can support the iPhone VPN client to set up a tunnel between an iPhone and their Enterprise network. Following authentication methods are supported for establishing the remote VPN tunnel

ü Password

ü RSA SecurID

ü CRYPTOCard

ü Certificate

For more info on how to configure your Cisco ASA firewall do check this link from Cisco Systems.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

How to turn a Cisco Router into ASA..

Yasir Irfan — Wed, 24 Sep 2008 18:27:50 +0000

Guess what your Routers support zone-based policies, which really helps with multi-interface restrictions (rather than just one outside & one inside interface with individual access list applications). Likewise, it now supports application inspection to catch those scandalous peer-to-peer programs.

Courtesy: Cisco

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. For more details do access this document from Cisco.