topic Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S) in Network Security

PIX AND DNS REVERSE LOOKUP PROBLEM(S)

rlowe26 — Fri, 21 Feb 2020 06:42:23 GMT

Ladies and Gentlemen, Apparently there is no FIX for this Problem(s). However, If one of you CISCO Ladies or Gentlemen can Figure this out, Please let me know Soonest... Thank You in advance.

I have a PIX 5 15 w/failover. On one of my Networks, I have People that have to get to a certain .mil site, but when they attempt to hit certain Links off of it, they cant get to it. When I do a Reverse DNS Lookup Check, it tells me that it is unable to translate my IP Address to a host name, which it is reflecting my PAT Address on my PIX. Now, of course, if I get on one of my Outside DNS Servers, I can get to the Links with no problem. Furthermore, I have a DNS Entry on my outside DNS Server for my Global PAT Address, and it still does not translate. I have tried everything on Cisco's site to fix this situation, to no avail. This is a much needed item, but I also want to keep my network locked down, and yes I know I cant have my cake and eat it too, but any information/guidance on this would be greatly appreciated.

Can someone please help me with this one. I always try to do things myself, but this is one thing that is kicking my tail. Please Help!

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

jmia — Thu, 24 Apr 2003 10:47:17 GMT

Hi Ron,

Any chance you can post your config without the real IP/Passwords etc,etc..

Thanks -

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

rlowe26 — Thu, 24 Apr 2003 10:56:00 GMT

Sure, give me a few minutes so I can edit the configs in .txt accordingly. Thanks! Ron

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

rlowe26 — Thu, 24 Apr 2003 11:09:53 GMT

Ok, here it is.

: Saved

: Written by

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd encrypted

hostname mypix

fixup protocol http 80

fixup protocol h323 ras 1718-1719

fixup protocol rtsp 554

fixup protocol smtp 25

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol sqlnet 1521

no fixup protocol rsh 514

no fixup protocol h323 h225 1720

no fixup protocol ftp 21

no fixup protocol ils 389

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host x.x.x.x eq smtp

access-list 100 permit tcp any host x.x.x.x eq bgp

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging trap debugging

logging history notifications

logging host inside x.x.x.x

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x 255.255.255.0

ip address inside x.x.x.x 255.255.255.0

ip address intf2 0.0.0.0 0.0.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside x.x.x.x

failover ip address intf2 x.x.x.x

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location

no snmp-server contact

snmp-server community xxxxxxxx

no snmp-server enable traps

tftp-server inside x.x.x.x pixconfig

floodguard enable

sysopt security fragguard

no sysopt route dnat

telnet x.x.x.x 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

terminal width 80

end

I havent implemented my DMZ yet, but I will be doing that this weekend.

I also have "Service resetoutside"

Ron

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

jmia — Thu, 24 Apr 2003 11:44:56 GMT

Ron,

I presume that your internal clients /PC's are using your outside DNS IP address? also try < sysopt no proxyarp inside > and see what happens.

Thanks -

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

rlowe26 — Thu, 24 Apr 2003 12:50:02 GMT

My internal clients are using NAT on the inside. I have Inside DNS and Outside DNS. I just tried it. It didnt work. Ron

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

mostiguy — Thu, 24 Apr 2003 14:40:20 GMT

You have a forward dns entry for your pix ip address, but how about reverse? Meaning, you have a dns A record for www.bob.com, but no reverse record for 1.2.3.4 to www.bob.com

Re: PIX AND DNS REVERSE LOOKUP PROBLEM(S)

jmia — Thu, 24 Apr 2003 14:42:22 GMT

Hi Ron,

No luck eh, well have a look at this doc and hopefully might help you troubleshoot your problem.. sorry no time to look at your problem in greater detail...

http://www.cisco.com/warp/public/110/21.html

Thanks -