dns queries not passing through the pix

[smohda]

hello,

DNS queries are not passing through the pix. my local dns server is trying to resolve names from outside servers.
my pix is doing PAT

nat (inside) 1 10.0.0.0 255.0.0.0 0 0
global (outside) 1 209.226.x.y netmask 255.255.255.240
access-list inside_acl permit udp 10.0.0.0 255.0.0.0 any eq domain

when I check the log I see these messages.
I will highly appreciate any help.

305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:206.108.253.66/53
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:210.132.100.101/53
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:192.35.51.30/53
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:198.32.64.12/53
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:193.0.14.129/53
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:206.108.253.70/53

thanks,

A.S

 

[yizhar]

HI.

First of all - it is recommended to have an internal DNS server, that will act as a caching server and also may provide internal name reolution.

About your problem, the message "portmap translation creation failed" points to something else, not DNS, but rather a translation issue.

So -
What is the pix device and license?
What is the OS version?
How many internal clients? (You can define a client as a host that have a default gateway to the pix and generates any kind of traffic via the pix).
Is all traffic blocked or just DNS?
Are all hosts blocked or just some?

And post here your static commands. One of them might be overlapping with the global statement.

If you still have the problem, post here a more detailed configuration as well.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[smohda]

hello everyone,

thanks for your reply Yizhar, I have tried to answer your questions

What is the pix device and license?
pix 520 unrestricted license

What is the OS version?
Version 6.1(1)

How many internal clients? (You can define a client as a host that have a default gateway to the pix and generates any kind of traffic via the pix).
150-200

Is all traffic blocked or just DNS?

http://www,dns.ftp,pop3,smtp

is allowed


THE DNS server(10.3.3.7) is also a wins server which is replicating with the corp wins server on the dmz(10.190.x.x).

I have a static statement defined in the config to allow communication between inside and dmz without any translation.
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

when I issued a sh xlate, I see
Global 10.3.3.7 Local 10.3.3.7 static

could be because of this translation the dns queries are not getting translated from inside to outside.

I will highly appreciate any help.

A.S

 

[yizhar]

HI.

What is the output of the following:

show nat
show global
show static
show alias
show ip

There is a conflict here:
Global 10.3.3.7 Local 10.3.3.7 static
305006: portmap translation creation failed for udp src inside:10.3.3.7/1238 dst outside:198.32.64.12/53

Try to issue a "clear xlate" command, and/or reboot the pix. Maybe you've made some changes but did not clear the xlate as needed.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[smohda]

hello everyone,

thanks for your reply Yizhar, all the show commands
you mention looks o.k to me.
I was wondering if you there is a static mapping from inside
to dmz (Global 10.3.3.7 Local 10.3.3.7 static) and
then if the same inside host 10.3.3.7 tries to access some outside host the pix does not do the PAT.
I dont know if thats how a pix firewall works.

any help appreciated.

thanks.