Gabrielle

It would help if you posted config +

what is the clients DNS server set to ?

Jon

PIX Version 6.3(4)

hostname xxx.xxx

domain-name xxx.com

no fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol mgcp 5060

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol tftp 69

names

name 10.100.0.13 OSI1

name 10.100.0.14 OSI2

name 10.100.0.28 Calix

name x.x.x.x Calix-Outside

name x.x.x.x OSI-1-Outside

name x.x.x.x OSI-2-Outside

object-group network OSI-TAC

network-object host 67.132.187.193

network-object host x.x.x.x

object-group network CALIX_TAC

network-object host x.x.x.x

network-object host x.x.x.x

network-object host x.x.x.x

access-list outside_in permit tcp object-group OSI-TAC host OSI-1-Outside eq www

access-list outside_in permit tcp object-group OSI-TAC host OSI-1-Outside eq htt

ps

access-list outside_in permit tcp object-group OSI-TAC host OSI-1-Outside eq 200

1

access-list outside_in permit tcp object-group OSI-TAC host OSI-2-Outside eq www

access-list outside_in permit tcp host PL-CTC-LAN host Calix-Outside eq www

access-list outside_in permit tcp host PL-CTC-LAN host Calix-Outside eq https

access-list outside_in permit tcp host PL-CTC-LAN host Calix-Outside eq 50000

access-list outside_in permit tcp host PL-CTC-LAN host Calix-Outside eq telnet

access-list outside_in permit tcp host PL-CTC-LAN host OSI-1-Outside eq www

access-list outside_in permit tcp host PL-CTC-LAN host OSI-1-Outside eq https

access-list outside_in permit tcp host PL-CTC-LAN host OSI-1-Outside eq 2001

access-list outside_in permit tcp host PL-CTC-LAN host OSI-2-Outside eq www

access-list outside_in permit tcp host PL-CTC-LAN host OSI-2-Outside eq https

access-list outside_in permit tcp host PL-CTC-LAN host OSI-2-Outside eq 2001

access-list 140 permit udp any any eq bootps

access-list 140 permit udp any any eq 547

access-list 110 deny tcp any any eq ftp

pager lines 24

logging on

logging timestamp

logging buffered warnings

logging trap warnings

logging history warnings

icmp permit x.x.x.x 255.255.255.128 echo-reply outside

icmp permit any echo-reply outside

icmp permit any outside

icmp permit any echo-reply inside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.128

ip address inside 10.100.0.100 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pltechpool 10.101.0.1-10.101.0.254 mask 255.255.0.0

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) Calix-Outside Calix netmask 255.255.255.255 0 0

static (inside,outside) OSI-1-Outside OSI1 netmask 255.255.255.255 0 0

static (inside,outside) OSI-2-Outside OSI2 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.255.0.0 10.0.0.52 1

route inside x.x.x.x 255.255.255.252 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipse

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

dhcprelay server x.x.x.x outside

dhcprelay enable inside

dhcprelay setroute inside

Gabrielle

None of your access-lists are applied to any interface which is okay for this issue, just wanted to check that you noticed this.

You have setup NAT so your clients on the inside LAN can get out to the Internet and that is why they can connect to the IP addresses of Internet sites.

But what DNS server does the client have setup - does it have one and if it does can this DNS server resolve Internet names.

If it doesn't have one you need one and it needs to be able to either

1) resolve Internet names

OR

2) be able to forward requests onto DNS servers than can do 1)

Jon

The DNS servers are able to resolve Internet names It is the DNS servers that I use for all our customers (ISP) it is a Public IP Address not a Private IP.

Right so a client on the inside LAN has the default-gateway set to the pix and has the DNS server set to a DNS server that can resolve Internet names.

Can you do a debug on the inside interface of the pix and then try to access a webpage by URL

pix# debug packet inside src

pix# debug packet inside dst

pix# no debug all

will turn off your debugging. You may need to enter it a couple of times - do a "sh debug" and if there are still entries enter it again.

When you initiate the connection you should see a DNS request go to the DNS server and the DNS response coming back to the client.

Jon

Here is the debug

Thanks

What is the IP address of the DNS server the client is using ?

Jon

Gabrielle

Assuming the DNS server is 216.130.224.4 then this debug shows the client sending out a request on destination port 53 to the DNS server.

However your debug shows no traffic coming back at all - did you run both debugs ie.

debug packet inside src 10.100.0.199

debug packet inside dst 10.100.0.199

You need the second debug to capture the return traffic.

Jon

Thanks I did the debug private to public - here you go for the proper debug.

Thanks

Gabrielle

Gabrielle

What this shows is the client 10.100.0.199 sending out DNS requests to 2 different DNS servers 216.130.224.4 & 216.130.224.5 but nothing coming back. So if you had in your debug

debug packet inside src 10.100.0.99

debug packet inside dst 10.100.0.99

and you only captured what you have posted then all we can say so far is that the DNS request is arriving at the Pix inside interface from the client. So we need more debugging i'm afraid

1) debug packet outside dst 216.130.224.4

debug packet outside dst 216.130.224.5

If you leave the previous debugging on then you should see the packet arrive on the inside interface and then go out of the external inerface.

If you don't see it go out the external interface then something is happening internal to the pix.

I'm assuming that you can run this debug when only one client is trying to access a web page ie. 10.100.0.99 otherwise you will get a lot of output.

2) If you do see packets leaving the outside interface then remove the debugging on the outside interface and replace it with

debug packet outside src 216.130.224.4

debug packet outside src 216.130.224.5

then try the client again and you should see responses coming back to the outside interface from the DNS servers.

It sounds like a lot of work but it is very quick usually to do this sort of debugging. In the meantime i'll have another quick look at your config. Can you confirm that you still don't have any acl's applied to any interfaces ?

Jon

Jon Thank you for all of your help.

Gabrielle

Just had a second look at your config. Is there any reason you have the fixup for DNS disabled ie.

no fixup protocol dns

If there is no reason could you try enabling it and retesting ie.

fixup protocol dns maximum-length 512

Jon

Added the Fix up and still the same thing.