R: [Fwd: Re: Pix to ASA migration]

["Massimo Baschieri" <massimo.baschieri () re-ti it>]

> This was sent to me off list.  I didnt look at the inspect mapping. That
> also
> could be a cause.

It could be quite a cause because of other protocols or because of the ips,
not because of dns, not in normal condition.
Dns inspection is only there to check for abuse of the protocol, not for
normal use, dns doesn't need any special treatment by a firewall like ftp or
h323 does, it should work like a charm without any inspection.
Bye,
    Tosh.

- -------- Original Message --------
Subject: Re: Pix to ASA migration
Date: Wed, 04 Oct 2006 04:26:11 -0700
From: Joseph Jenkins <maillist () breathe-underwater com>
To: Craig Van Tassle <craig () codestorm org>

You have to have to the inspect turned for DNS or it won't work.  DNS goes
out on one port and then comes back in on another.  You have to specifically
tell the PIX/ASA how to handle that type of traffic.  Here is a cutout of my
config with the correct inspect statements:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp



On 10/2/06 2:13 PM, "Craig Van Tassle" <craig () codestorm org> wrote:


-
---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
-
---------------------------------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFI71DAOTIJ89W4sIRAtUCAKD3gpaXZ5xSG5NA+aAOeI+fcbQdjgCgsNfO
hnUmCGzQskHC/8ZrPxg6AYU=
=UX5c
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------