02-17-2009 09:29 AM - edited 03-11-2019 07:51 AM
Hi
As the title says, we cannot access out DNS server which is 192.168.7.199 from any other hosts behind the PIX in the 192.168.7.0/24 range.
i have been through the document which talks about DNS rewrite and hairpinning, but neither seem to work. I think i am missing out on some setting(s) somewhere.
I have also been through some of the previous posts especially this one "Firewalling: Access external Static destined to DMZ from Inside Interface"
If you have any ideas, we would very much appreicate it.
We have setup as follows
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any object-group HTTP eq www
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 192.168.7.0 255.255.255.0
static (inside,inside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255
static (inside,outside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255
thanks
Ali
02-17-2009 10:17 AM
Ali, question, are you trying to access your dns from outside to inside? or is it from within the LAN?
02-17-2009 03:07 PM
Hi
We are trying to access the DNS server from inside the LAN without using local IP addressing. So for example
192.168.7.15 makes a DNS query for a website which is actually sitting on 192.168.7.199. When it traverses thru the PIX into the DNS of the world, the reply is that this website is actually on 194.xxx.yyy.199 which is NATTED to 192.168.7.199
Hence the original request if from within the LAN, but it actually ends up coming from outside. Hope this makes sense, there is a diagram in the doc "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#inspect"
Unfortunately even after this, i'm stuck :,)
Thanks
02-17-2009 10:18 AM
Hello Ali,
Try this
policy-map global_policy
class inspection_default
inspect dns
Regards
02-17-2009 03:01 PM
Hi, thanks for your reply
I already have the following running
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
It wouldnt allow me to enter the config you sent as this is already present. Do i need to modify it ?
Thanks
Ali
02-17-2009 03:10 PM
From where are you trying to access this DNS server? according to your post you cannot access it from behind the PIX LAN, and as I understand correctly your DNS falls within this same lan segment correct? In that case the dns doctoring will never be applied. Can you confirm?
02-17-2009 03:21 PM
Yes, i can confirm that we are trying to access the DNS server from behind the PIX LAN which means the DNS server and other hosts fall in the same LAN segemnt. The document which i mentioned earlier, from i could see is designed for this scenario, hence i tried DNS Doctoring, but didnt get very far with it.
Hope this helps. Let me know if you need more info
Regards
02-17-2009 03:27 PM
The keypoint of dns doctoring is that the dns request has to go through the Firewall so that it can modify the dns reply. In your case your goal I presume is to make your clients that when they look for a site that resolves to a public ip address the pix changes the ip address to the private ip instead of using the public.
02-17-2009 03:39 PM
Yes i think, perhaps that is what we are looking for, any ideas on how i need to implement this ?
thanks
Ali
02-17-2009 03:43 PM
if your clients have a dns that belongs to the inside.... unless you change the MX record of your DNS to reflect the real ip address, of course if this dns is used to resolve names for outside people to then you will be in problems...
Putting the dns on a dmz or on the outside then you will make the dns query to go through the asa causing it to be modified. Now have in mind that the entry that has the dns option enabled on it is the translation of your server in other words the static entry that tells the outside world that your private address of your webserver (as an example) will be translated to X public address, and not the dns itself.
02-17-2009 04:38 PM
Ok thanks. I will review the setup tomorrow and get back to you. The Cisco doc looked pretty much the business for the situation that i found myself in. Anyhow, i will get this checked out tomorrow and let you know.
Thank you very much, i really appreciate your feedback.
Regards,
02-17-2009 05:21 PM
If you don't mind can you share that doc here?
02-17-2009 06:13 PM
This is the link
Let me know your thoughts from it. Does it sound like i am missing a small component or is it different to what i am after. I couldnt find much difference from our setup to the one in the doc. I also referred to the NetPro Forum titled "Firewalling: Access external Static destined to DMZ from Inside Interface"
Thanks
02-17-2009 06:36 PM
Oh ok, I see where you got it wrong, on the hairpinning option you do not make the static inside inside of the DNS server you do it of the WEBSERVER that needs to be reached, in this case the dns record is never changed instead when the dns server replies to you with the public address the ASA will redirect you to the real ip address of your WEBSERVER.
02-17-2009 07:03 PM
OK, here i will need your help furhter.
We have a machine which is a DNS SERVER as well as a WEBSERVER.
The machine has the IPs 192.168.7.41, 192.168.7.51 & 192.168.7.52. Default GW is 192.168.7.1 (inside if of PIX)
DNS Servers for this machine are itself ie 192.168.7.41 & another DNS box 192.168.7.165
There is a website sitting in IIS whose www-A record points to 194.xxx.yyy.41
The Static NATTING configured means that 194.xxx.yyy.41 translates to the inside as 192.168.7.41.
The website can be reached from the outside the LAN, but not from inside. I have made the change you just suggested, but still cannot see the website from 192.168.7.153
Sorry for the trouble. I hope the above isnt confusing info. Thanks a lot
Ali
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide