topic Re: resolving URL's from DMZ in Network Security

resolving URL's from DMZ

boondocker — Mon, 11 Mar 2019 09:40:34 GMT

I have a pix firewall (515e) and a windows computer on the DMZ that has it's default DNS pointing to a server on the inside allowing connection to key computers on the inside. I need to connect to the internet from this DMZ computer as well on the outside but unfortunately I can't resolve any URL's. Any ideas? thanks!

Re: resolving URL's from DMZ

acomiskey — Thu, 01 Mar 2007 21:35:11 GMT

Either use external dns for dmz machines or write an acl allowing dns traffic from dmz to inside dns servers.

Re: resolving URL's from DMZ

boondocker — Thu, 01 Mar 2007 22:15:52 GMT

If I use an external dns (set the computers default dns to point to the outside dns server), I will loose dns resolution to the inside computers. I need to resolve dns both ways.

Re: resolving URL's from DMZ

Jon Marshall — Thu, 01 Mar 2007 22:30:34 GMT

How many of the key systems does the server in the DMZ need to talk to. Hopefully not too many 🙂

If it is a few key systems you could use the local hosts file for these servers and then point your windows server to DNS servers on the Internet for resolution of all other servers.

It's not a pretty solution and it depends on how many servers you need to talk to on the inside.

HTH

Jon

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 18:34:52 GMT

Thanks for the replies...unfortunately using hosts files still doesn't work...seems to get confused and net result is that the focus appears to be on the gateway setting.

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 18:42:08 GMT

Host files get checked before resolving to dns server. What do you mean by "seems to get confused and net result is that the focus appears to be on the gateway setting."

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:10:40 GMT

When I point my dmz computers default gateway to the outside DNS, internet access works fine. With hosts file setup with all my inside hosts I'm having problems connecting to my DC (which is on the inside). When I change my dmz computers default gateway to the inside DNS and disable the hosts file, i cannot connect to the outside internet but I have full access to the DC. It's sounds pretty straight forward and I figured it would work ...not sure if I'm doing something wrong here.

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:15:59 GMT

By "default gateway" I assume you mean "default dns"?

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:19:36 GMT

yes...typo

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:22:35 GMT

what does your access-list look like that is applied "in interface dmz"?

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:32:27 GMT

My Inside security level = 100

My DMZ security level = 100

My Outside security level = 0

access-list DMZ_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp any any

access-list OUTSIDE_access_in extended permit tcp any any eq sqlnet

access-list OUTSIDE_access_in extended permit tcp any any eq 522

access-list OUTSIDE_access_in extended permit tcp any any eq 1731

access-list OUTSIDE_access_in extended permit tcp any any eq 1503

access-list OUTSIDE_access_in extended permit tcp any any eq ldap

access-list OUTSIDE_access_in extended permit tcp any any eq h323

access-list OUTSIDE_access_in extended permit tcp any any eq 3389

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:34:56 GMT

If you want to allow dmz machines to access inside machines, it has to be permitted in your DMZ_access-in acl. For instance, dns.

access-list DMZ_access_in extended permit udp any host eq 53

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:37:52 GMT

Does my access level of 100 for both dmz and inside not allow free flow of traffic without acl?

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:40:51 GMT

oh, i skimmed over that. It depends on what code your pix is, 7 will allow it, 6 will not.

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:40:54 GMT

...also, when I'm setup this way I can still connect to all inside computers including my DNS.

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:42:11 GMT

...I'm at 7

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:46:27 GMT

So, everything works fine but you can't get to the internet? Are these windows machines? Do you know how to do an nslookup?

Re: resolving URL's from DMZ

boondocker — Fri, 02 Mar 2007 19:50:18 GMT

Yes, I've run nslookup. When my dns is set for the outside I can resolve any url. when my dns is set for the inside nslookup can't find url (which makes sense).

Re: resolving URL's from DMZ

acomiskey — Fri, 02 Mar 2007 19:52:42 GMT

Why would that make sense, you are pointing to an inside dns server?

Re: resolving URL's from DMZ

jspringfield — Fri, 16 Mar 2007 17:44:51 GMT

A couple of things.

While not nessicarily secure (as the above list is not) you can add this and it should fix your problem...

access-list dmz_access_in extended permit tcp any any eq domain

access-list dmz_access_in extended permit udp any any eq domain