Dear All, I am sorry and do apolozige for posting this query here but do understand that there are definately some guys out there who would help me out I have been using shorewall for quite sometime and its a excellent product. due to my company re-organisation and policies we have purchased a new cisco ASA firewall. cisco ASA 5520 series ios ver 8.2 my earlier linux shorwall firewall was used in 2 interface mode so i jus had a exact replica of the rules. and put the asa online Every thing was working but from outside world our internal public websites could not be reached . also mail from yahoo or google bounce back and also not able to send mail to yahoo. we do have our own dns server using bind 9 hosting a couple of websites i reverted back to my shorewall firewall and things were working fine. then i jus got the clue of message size for ASA .. that is the last server which was rolled to dns sec and the message length has to be increased to 4096 so i did the following on my ASA jus to check i ran sh run policy policy-map type inspect dns and it showed me message length size maximun 512 so i did the changeonf t> policy-map type inspect dns preset_dns_map > parameters > message-length maximum 4096 > policy-map global_policy > class inspection_default > inspect dns preset_dns_mapand then the show run policy-map was showing me message length maximum as 4096 then i put my firwall online and it was working. i mean i did send mail to yahoo from my mail server and also replied it worked fine but after 30 minutes our network became very very slow as if crawling i removed the cisco asa network cables and reverted back to my shorewall firewall and all was well immeditely then also one of user called me that the website was not working. then i found that my immedite upstream ISP dns was not able to resolve the sites which my dns server is authorative i tried to resolve from google public dns (8.8.8.8) and i could resolve it calling the isp dns admin he said he would check and after 4 hrs the isp dns could resolve my website he told me that he had to update his dns serverand that i had changed the ip address of my web sites or my dnd server had a problem. which was neither now im jus wondering what exactly could be the problem since i dont want to put the cisco ASA online without being positive that it gonna work smooth also i wondering did this change in the asa firewall made some change in my isp dns. also after googleing i see that the change is not required and some post say instead of jus haveing the message length maximum to 4096 i could have message-length maximum client auto message-length maximum 512 now I am jus wondering how could i go about this i would highy apprecite if someone could help me also if some problem in my network i can go back to old but if something changes in my isp dns its something very serious cause it would take huge time. and they very slow in response regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov
On Wed, 2010-11-03 at 13:03 +0300, Benedict simon wrote:> Dear All, > > I am sorry and do apolozige for posting this query here but do understand > that there are definately some guys out there who would help me outSince this seems to be entirely about some Cisco product, I am sure Cisco would help you out too wouldn''t they? b. ------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov
> so i did the changeonf t >> policy-map type inspect dns preset_dns_map >> parameters >> message-length maximum 4096 >> policy-map global_policy >> class inspection_default >> inspect dns preset_dns_map > and then the show run policy-map was showing me message length maximum as > 4096 >Here I see agony ... Well a quick and dirty - masquerading solution would be ... Make sure you configure CISCO ASA as router .. that is ... have all in-> out allow any and out-> in allow any and then behind ASA re-install your shorewall box. that is to get your Managers happy since they paid for it ( they are the people who insisted for a cisco change right ??? ) and you to find enough time to get support from cisco ( $$$$$ after Cisco people need to make money too + money goes into the IT field ) + knowledge to configure the thing your self ... Good luck. ( you''ll need it ). ------------------------------------------------------------------------------ Achieve Improved Network Security with IP and DNS Reputation. Defend against bad network traffic, including botnets, malware, phishing sites, and compromised hosts - saving your company time, money, and embarrassment. Learn More! http://p.sf.net/sfu/hpdev2dev-nov