Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

UDP Port 1054

Status
Not open for further replies.
Adr3nalin

Adr3nalin

MIS
Aug 4, 2002
57
NZ
Hi, i have no idea, why the External primary DNS server (port 53) try to access UDP port 1054 (BVREAD) to secondary DNS server below is the information logged.

2002-09-02 09:08:04,Local4.Warning,172.24.220.124,Sep 02 2002 09:05:48: %PIX-4-106023: Deny udp src outside:dnssvr-ext/53 dst dmz:secdns-ext/1054 by access-group "acl-out"

the question is, do i need to open the UDP port 1054 ?
thanks in advance for your help.
 
Sort by date Sort by votes
Can you show the acl please?

Seems like that is an source port (1054) rather than a destination. Basically your acl "acl-out" is out and out blocking your dns server from getting to the external dns, which you probably have configured in your servers dns forwarder or proto settings.
 
Upvote 0 Downvote
Hi rubbaninja,

thanks for replying...this is the access list

:Internet -> secdns-ext
access-list acl-out permit tcp any host secdns-ext eq smtp
access-list acl-out permit tcp any host secdns-ext eq www
access-list acl-out permit tcp any host secdns-ext eq 443
access-list acl-out permit tcp any host secdns-ext eq 8080
access-list acl-out permit tcp any host secdns-ext eq ftp
access-list acl-out permit tcp any host secdns-ext eq domain
access-list acl-out permit udp any host secdns-ext eq domain

:Secdns-ext -> internet / zz-net / nbz-net
access-list acl-dmz permit udp host secdns-int any eq domain
access-list acl-dmz permit tcp host secdns-int any eq www
access-list acl-dmz permit tcp host secdns-int any eq 443
access-list acl-dmz permit tcp host secdns-int any eq 8080
access-list acl-dmz permit tcp host secdns-int any eq ftp
access-list acl-dmz permit tcp host secdns-int any eq domain
access-list acl-dmz permit tcp host secdns-int any eq smtp

regards and thanks
 
Upvote 0 Downvote
All looks good to me.
access-list acl-dmz permit udp host secdns-int any eq domain
access-list acl-dmz permit tcp host secdns-int any eq domain
access-list acl-out permit tcp any host secdns-ext eq domain
access-list acl-out permit udp any host secdns-ext eq domain

as long as you don't have deny statements before this. You should see counts next to your ACL's when you do a show access-list that will tell you how many times it has been used.
Also, check your logging for anything suspicious.
 
Upvote 0 Downvote
HI.

This error seems normal to me and no action needs to be taken.

Your internal DNS server queries the external one.
Sometimes, more then a single query is sent or more then one response is sent back.
The pix will allow the first response, but might block a second one if it is a response to the same query, or if the DNS guard timed out (the response took too much time to be sent back).

UDP 1054 is a dynamic source port that was used by your internal server, and the packet blocked was a reply from external server that the pix DNS guard has decided to block.

More info:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
541
XLNTech1
XLNTech1
jsaad
  • Locked
  • Question
udp timer
Replies
0
Views
436
jsaad
jsaad
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
201
RodneyMcSnow
RodneyMcSnow
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
175
iggsterman
iggsterman
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
133
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top