Dear All,
I am sorry and do apolozige for posting this query here but do understand
that there are definately some guys out there who would help me out
I have been using shorewall for quite sometime and its a excellent product.
due to my company re-organisation and policies we have purchased a new
cisco ASA firewall. cisco ASA 5520 series ios ver 8.2
my earlier linux shorwall firewall was used in 2 interface mode
so i jus had a exact replica of the rules. and put the asa online
Every thing was working but from outside world our internal public
websites could not be reached . also mail from yahoo or google bounce back
and also not able to send mail to yahoo.
we do have our own dns server using bind 9 hosting a couple of websites
i reverted back to my shorewall firewall and things were working fine.
then i jus got the clue of message size for ASA .. that is the last server
which was rolled to dns sec and the message length has to be increased to
4096
so i did the following on my ASA
jus to check i ran
sh run policy policy-map type inspect dns
and it showed me message length size maximun 512
so i did the changeonf t
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 4096
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
and then the show run policy-map was showing me message length maximum as
4096
then i put my firwall online and it was working. i mean i did send mail to
yahoo from my mail server and also replied it worked fine
but after 30 minutes our network became very very slow as if crawling
i removed the cisco asa network cables and reverted back to my shorewall
firewall and all was well immeditely
then also one of user called me that the website was not working.
then i found that my immedite upstream ISP dns was not able to resolve the
sites which my dns server is authorative
i tried to resolve from google public dns (8.8.8.8) and i could resolve it
calling the isp dns admin he said he would check and after 4 hrs the isp
dns could resolve my website he told me that he had to update his dns
serverand that i had changed the ip address of my web sites or my dnd
server had a problem. which was neither
now im jus wondering what exactly could be the problem
since i dont want to put the cisco ASA online without being positive that
it gonna work smooth
also i wondering did this change in the asa firewall made some change in
my isp dns.
also after googleing i see that the change is not required
and some post say instead of jus haveing the message length maximum to 4096
i could have
message-length maximum client auto
message-length maximum 512
now I am jus wondering how could i go about this
i would highy apprecite if someone could help me
also if some problem in my network i can go back to old
but if something changes in my isp dns its something very serious cause it
would take huge time. and they very slow in response
regards
simon
--
Network ADMIN
-------------
KUWAIT MUNICIPALITY:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
Achieve Improved Network Security with IP and DNS Reputation.
Defend against bad network traffic, including botnets, malware,
phishing sites, and compromised hosts - saving your company time,
money, and embarrassment. Learn More!
http://p.sf.net/sfu/hpdev2dev-nov
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
