Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall blocking NSlookups

Status
Not open for further replies.
agentflicker

agentflicker

IS-IT--Management
May 8, 2001
38
FR
Hello all,

I've a problem with a new firewall I've built to replace our old one. The old firewall is NT40 Firewall-1 ver 4.0 build 4066. The new firewall is NT40 firewall-1 ver 4.0 build 4205. Apart from the different build numbers both firewalls are identical.

When I plug in the new firewall though I cannot do any NSlookups or DNS resolution, so my email server can't send any email. I put in a rule so I could log DNS traffic and can see some sometimes being accepted - but not when I do a NSlookup, I can't even see it being dropped or rejected.

Unfortunatly I can't find the old 4066 patch to double check that this is the problem. Any one got any ideas?

Thanks Simon.
 
Sort by date Sort by votes
Are you seeing any drops in the logs? If so, what rule?
I would check in the properties setup on the Security Policy tab for an unchecked "Accept Domain Name UDP..." and "Accept Domain Name TCP...". You might have had these checked in the previous firewall. DNS UDP is for resolving and TCP is for zone transfers.
You can either check these depending on what you need. Or you can leave unchecked then only allow DNS traffic to specific DNS servers outside of the Internal LAN. I would create the rule dependent on how your DNS is architected. My rule of thumb is only allow specifically what should be leaving/coming from my network.
 
Upvote 0 Downvote

Thanks for your help everyone. I've sorted it out now.

I had to clear the arp cache on the router external to the firewall. The router got the new mac address of the external firewall interface but did not for static NATed addresses, so I could browse and do everything fine that didn't require a static nat (ie just hidden addresses) but because our internal DNS server had a NAT the DNS replies could not find a return path.

Simon.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
192
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
133
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
124
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
134
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
102
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top