%PIX-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to

inside:y.y.y.y/49746; packet length 768 bytes exceeds configured limit of 512

I was wondering what might be the reason, then figured out the packets received from ISP is of 768 bytes whereas by default the Cisco PIX 525 Firewall allows 512 bytes as shown below.

The problem was with the default DNS inspection policy-map. By default in Cisco PIX 525, Cisco ASA it’s configured to 512 bytes

The moment I changed the default DNS inspection policy-map from 512 bytes to 1000 bytes things were normal the Windows 2008 R2 Server was resolving the DNS queries.

The commands I used to change the default DNS inspection policy-map is as follows.

MBGF-DAC-525-FW01# configure t

MBGF-DAC-525-FW01(config)# class-map inspection_default

MBGF-DAC-525-FW01(config-cmap)# match default-inspection-traffic

MBGF-DAC-525-FW01(config-cmap)# policy-map global_policy

MBGF-DAC-525-FW01(config-pmap)# class inspection_default

MBGF-DAC-525-FW01(config-pmap-c)# inspect dns maximum-length 1000

MBGF-DAC-525-FW01(config-pmap-c)#

In windows 2008 Server we have specified the DNS forwarder as shown in the below diagram.

But it always fails to resolve the DNS queries from internal network to external network using nslookup command from the command prompt of the Windows 2008 Server as well when we are testing the simple and recursive query to other DNS Servers it’s failing as demonstrated below

We have done the following to

1)      The internal IP address for the Windows 2008 R2 server is PATed in our PIX 525 Firewall, I could browse the internet.

2)      In Windows 2008 R2 Server we have specified the DNS IP Address provided by our ISP.

3)      All our servers in the DMZ zone are working fine.

I am working on this issue; meanwhile if any one of you knows who to resolve this issue, your comments are always welcomed.