topic DNS issues through PIX in Network Security

DNS issues through PIX

timh — Mon, 11 Mar 2019 20:59:57 GMT

This is my first time configuring a pix. Once connected, I can ping through the pix using an ip address, but when it comes to connecting to alpha addresses, it fails. Through the asdm logs, the pix does contact the DNS server. I assume it's a DNS issue, but I don't know what I'm missing. Below is the config. Any help would be appreciated.

LAN--L2 Switch--Pix515--cable modem--isp

PIX Version 8.0(4)

hostname pix515

domain-name example.com

enable password <omitted> encrypted

passwd <omitted> encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

ftp mode passive

dns server-group DefaultDNS

domain-name example.com

access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image flash:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.20-10.0.0.254 inside

dhcpd dns x.x.x.x interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server x.x.x.x

username admin password <omitted> encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum server auto

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:

806a71054e94151e2dfb454d7a089e52
: end

DNS issues through PIX

Jennifer Halim — Sun, 17 Jul 2011 23:39:09 GMT

1) Where are you trying to ping to and from? Pls share IP Address and DNS name that you try to ping.

2) Where is the DNS server and what is the DNS server IP Address?

3) If you are doing "nslookup" to the hostname, and DNS server does it use and what does it resolve to?

4) Lastly, If the ASDM logs can see DNS request that means the initial request is going through, what about the DNS reply? Does the ASA see the DNS reply? You can check that with packet capture on the ASA interface.

DNS issues through PIX

timh — Mon, 18 Jul 2011 00:01:02 GMT

Thanks for your reply Hopefully this will answer questions.

1) the successful ping was from a PC on the LAN to an external ip (one used by my work)

2) the DNS server is my ISP's DNS server 63.13.16.30 (which was included on the "dhcpd dns x.x.x.x interface inside" command above)

3) my "test" was to go to a web page from the same PC that could sucessfully ping to the outside world.

4) maybe this will be different, but asdm can see the "built" & "teardown" of connection to the DNS server (63.13.16.30). The packet capture will need to be done later, since I will have to take down my current network that is currently in use.

DNS issues through PIX

praprama — Thu, 28 Jul 2011 19:57:35 GMT

Hi Tim,

Instead of opening a browser, try opening a command window on your PC and trynig nslookup for a URL, like google.com. Also, try changing the DNS server to 4.2.2.2 and see if it works.

Regards,

Prapanch

DNS issues through PIX

Julio Carvajal — Thu, 28 Jul 2011 23:54:03 GMT

Hello Tim

So lets see if I understood your question. You want to ping a website by the URL right?

You said your DNS its on the outside (ISP)

So try this two commands and let me know how it goes?

dns domain-lookup outside

dns name-server 4.2.2.2

Regards