topic Re: PIX 501 DNS Resolution with static route in Network Security

PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 21 Feb 2020 07:14:27 GMT

I am using a pix 501.

I have an internal DNS server behind this pix that uses my ISPs DNS servers to resolve external domains.

I now want to host a web site from the same server.

In order to allow external access to the web server I add the following:

access-list outside_in_http permit tcp any host A.B.C.D eq www

static (inside,outside) A.B.C.D L.M.N.O netmask 255.255.255.255 0 0

access-group outside_in_http in interface outside

this is all well and good and allows web access. The problem is that the server can no longer resolve DNS queries.

How can I allow my server to resolve DNS again in a secure way. I imagine this is quite simple to achieve but I am having great difficulty in finding the solution.

thanks in advance

Dylan

Re: PIX 501 DNS Resolution with static route

jose.couto — Thu, 12 Feb 2004 15:24:33 GMT

Dylan,

Is there any access-list applied in the inside interface? Have you tried to 'clear xlate' after setting the static? Have you searched PIX's logs for connection rejections?

Regards.

Re: PIX 501 DNS Resolution with static route

baileja — Thu, 12 Feb 2004 16:40:37 GMT

Do you have the following in your acl?

access-list outside_in_http permit udp any host A.B.C.D eq 53

This will allow DNS queries from your inside box.

Re: PIX 501 DNS Resolution with static route

clark.d — Thu, 12 Feb 2004 17:32:01 GMT

Who can't resovle?? Th internal web server can't resovle external addresses or the outside can't resovle web server address?

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 13:39:08 GMT

The internal wev server cant resolve external addresses.

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 14:04:31 GMT

I have tried the following which I believe should achieve the same thing - or am i missing something here?

names

name X.X.X.X eircomdns1

name L.M.N.O webserver

access-list outside_access_in permit tcp any host A.B.C.D eq www

access-list outside_access_in permit tcp host eircomdns1 host A.B.C.D eq domain

access-list outside_access_in permit udp host eircomdns1 host A.B.C.D eq domain

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) A.B.C.D webserver netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

Re: PIX 501 DNS Resolution with static route

clark.d — Fri, 13 Feb 2004 14:37:59 GMT

If the inside web server can't resovle external, verify DNS is set correctly on inside server....it should be pointed to and outside DNS server or have forwarders turned on. If your web server is pointed to itself for DNS make sure to define a forwarder or make sure it has a root hints file.

Re: PIX 501 DNS Resolution with static route

baileja — Fri, 13 Feb 2004 14:39:38 GMT

I am a little confused here, I though your DNS and webserver where on the same box yet you have seperate statements defining them? Also, is your dns having problem resolving outside addresses or is it having problem resolving external queries for inside addresses? The second and third ACL line you have listed allows dns queries originating from outside. It would be much more helpful if you posted your entire config, your orginal posting had only one line and this one only has three to your acl. I think we can verify your config if it were posted.

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 15:13:44 GMT

dns resolution works ok on the inside server until i add the static route to allow inbound http access

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 15:18:41 GMT

sorry about that

I changed the naming when reconfiguring, I will post entire config in follow up to my original message.

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 15:40:09 GMT

I am including my full config as it currently stands.

I have taken out the rules allowing udp & tcp connections from the external dns servers as I only want to allow the following:

1) all inside access out (default rule)

2) http access in to my web server (which also happens to be my dns server) from outside

3) my internal server (web & dns) needs to resolve dns by forwarding dns lookups to my ISPs servers.

The problem is that when I put in the static and create the access-list and access-group to allow incoming http access then my DNS lookups stop working

Building configuration...

: Saved

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXX encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name X.X.X.X eircomdns1

name X.X.X.X eircomdns2

name L.M.N.O webserver

access-list outside_access_in permit tcp any host A.B.C.D eq www

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging trap warnings

logging host inside webserver

mtu outside 1500

mtu inside 1500

ip address outside A.B.C.E 255.255.255.0

ip address inside L.M.N.P 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location webserver 255.255.255.255 inside

pdm location eircomdns1 255.255.255.255 outside

pdm location eircomdns2 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) A.B.C.D webserver netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 L.M.N.Q 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http A.B.C.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet A.B.C.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address XXXXXX-XXXXXX inside

dhcpd dns eircomdns1 eircomdns2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain vendlink.internal

dhcpd auto_config outside

dhcpd enable inside

username admin password XXXX encrypted privilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Re: PIX 501 DNS Resolution with static route

jmia — Fri, 13 Feb 2004 16:20:21 GMT

Hi..

Have you got any syslog messages that you can provide?

If you haven't then do:

In config mode -

>logging on

>logging buffer debug

>sho logging

Please post the results,

Thanks - Jay.

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Fri, 13 Feb 2004 18:45:53 GMT

710005: UDP request discarded from 192.168.2.9/138 to outside:192.168.2.255/netb

ios-dgm

302016: Teardown UDP connection 58867 for outside:159.134.237.6/53 to inside:192

.168.1.20/1069 duration 0:02:01 bytes 36

106015: Deny TCP (no connection) from 216.155.193.154/25 to 192.168.2.10/1085 fl

ags FIN PSH ACK on interface outside

302015: Built outbound UDP connection 58879 for outside:159.134.237.6/53 (159.13

4.237.6/53) to inside:192.168.1.20/1069 (192.168.2.10/1069)

305012: Teardown dynamic UDP translation from inside:192.168.1.34/1033 to outsid

e:192.168.2.3/20765 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/851 to outside

:192.168.2.3/658 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3153 to outsid

e:192.168.2.3/20766 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/218 to outside

:192.168.2.3/215 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3154 to outsid

e:192.168.2.3/20767 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/219 to outside

:192.168.2.3/216 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3155 to outsid

e:192.168.2.3/20768 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/220 to outside

:192.168.2.3/217 duration 0:00:31

Re: PIX 501 DNS Resolution with static route

baileja — Fri, 13 Feb 2004 19:22:42 GMT

try adding the following command to enable DNS Guard. This may solve your problem (what OS is your DNS server, I am assuming windows 2003)

fixup protocol dns maximum-length 512

Read the following command for details.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Mon, 16 Feb 2004 09:54:32 GMT

fixup protocol dns maximum-length 512

gives me a "bad protocol" error

also the fixup command seems only to support the following on the pix

Usage: [no] fixup protocol [] [-]

I have also tried fixup protocol domain maximum-length 512

to which im told maximum-length is a bad port number

My server is indeed 2003 however this behaviour is also evident when i substitute the addresses of my PC instead of the server, the PC is running XP professional.

I have run the following command on the server that should ensure that DNS queries do nbot exeed 512 bytes dnscmd /config /enableednsprobes 0

Re: PIX 501 DNS Resolution with static route

clark.d — Mon, 16 Feb 2004 13:48:40 GMT

Lets go to the beginning......from the server can you ping and outside device by IP only? Try this aaddres: 216.109.117.108.....does it reply?

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Mon, 16 Feb 2004 14:16:10 GMT

No. not from the server or any other internal ip address.

http does succeed from the server and ping does succeed from the outside interface in case these help.

Re: PIX 501 DNS Resolution with static route

clark.d — Mon, 16 Feb 2004 14:32:22 GMT

Can you ping inside interface from server? Is servers DG set to PIX inside address?

Re: PIX 501 DNS Resolution with static route

clark.d — Mon, 16 Feb 2004 14:42:59 GMT

Add this to you access list to allow ping to outside but not from outside in....

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

Re: PIX 501 DNS Resolution with static route

dylanvendlink — Mon, 16 Feb 2004 14:51:43 GMT

yes on both counts

(assuming DG is default gateway)