cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1235
Views
0
Helpful
4
Replies

DNS traffic blocked after PAT - PIX 515

I have PIX 515 with 3 NIC named ( inside, outside, dmz)

I have 2 Servers ( Exchange and Windows 2000 with SMTP) in the DMZ.

I currently have a static command pointing the mail doamin IP address to exchange Server in the DMZ.

I wanted to do PAT on the IP address of the mail domain so that the configuration will look like as follows.

The mail domain IP address will be used for the global IP

any pop3 traffic for the global ip will go to exchange

any www traffic for the global IP will go to exchange

any smtp traffic for the global ip will go to Windows 2000 SMTP relay (SMTP relay is configured to send the received email to exchange Server)

I have allowed both udp and tcp DNS traffic to both the Servers.

before doing pat, both the server can use DNS to resolve email domain IP and send mail to Internet.

As soon as I do PAT the email delivery to Internet stops.

When I did an NSLOOKUP the command is returning an error saying DNS Server cannot be resloved.

The DNS Servere used by these 2 servers are ISP DNS Servers.

Is there any concern when doing PAT .

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

I found the problem:

for the moment your dmz servers can only go to the internet with pop3, smtp, and www. Only for those protocols is a (static) translation in provide in the config file.

You'll will have to provide translation for the other protocols (eg dns) also. This can be accomplished with one of the two following things:

* create a nat - global pair for the dmz to outside

nat (dmz) 1 0.0.0.0 0.0.0.0

global (outside) 1 200.100.100.168 (already exist)

*create a static translation for each of the other protocols (beside pop3, smtp, www) you want to let through from the dmz to the internet (you already did this for pop3, www and smtp).

Kind Regards,

Tom

View solution in original post

4 Replies 4

tvanginneken
Level 4
Level 4

Is it possible to post (a modified version) of the config file? Make sure you blank out passwords when you do this, also use 'fake' public addresses.

Thanks

Please find the PIX configuration.

IP addresses are fake public IPs.

Thanks.

----------------------------------------------------------------------------------------------------------

PIX Version 6.1(3)100

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password

passwd

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol domain 53

fixup protocol http 8080

names

access-list acl_out permit tcp any host 200.100.100.167 eq smtp

access-list acl_out permit tcp any host 200.100.100.167 eq www

access-list acl_out permit tcp any host 200.100.100.167 eq pop3

access-list mail permit icmp any any

access-list mail permit udp host 192.168.1.2 any eq domain

access-list mail permit tcp host 192.168.1.2 any eq domain

access-list mail permit tcp host 192.168.1.2 any eq smtp

access-list mail permit tcp host 192.168.1.2 any eq pop3

access-list mail permit tcp host 192.168.1.2 any eq www

access-list mail permit udp host 192.168.1.6 any eq domain

access-list mail permit tcp host 192.168.1.6 any eq domain

access-list mail permit tcp host 192.168.1.6 any eq smtp

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 200.100.100.162 255.255.255.240

ip address inside 200.100.100.177 255.255.255.240

ip address dmz 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 200.100.100.168

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) tcp 200.100.100.167 pop3 192.168.1.2 pop3 netmask 255.255.255.255 0 0

static (dmz,outside) tcp 200.100.100.167 www 192.168.1.2 www netmask 255.255.255.255 0 0

static (dmz,outside) tcp 200.100.100.167 smtp 192.168.1.6 smtp netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group mail in interface dmz

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 200.100.100.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 200.100.100.178 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

terminal width 80

Cryptochecksum:245b1f6d1401a5d4c397efdb6bdb751a

: end

[OK]

pixfirewall(config)#

Hi,

I found the problem:

for the moment your dmz servers can only go to the internet with pop3, smtp, and www. Only for those protocols is a (static) translation in provide in the config file.

You'll will have to provide translation for the other protocols (eg dns) also. This can be accomplished with one of the two following things:

* create a nat - global pair for the dmz to outside

nat (dmz) 1 0.0.0.0 0.0.0.0

global (outside) 1 200.100.100.168 (already exist)

*create a static translation for each of the other protocols (beside pop3, smtp, www) you want to let through from the dmz to the internet (you already did this for pop3, www and smtp).

Kind Regards,

Tom

Hi Tom

Thank you very much for your help to get the nat configuration done for PAT

It is working fine.

Regards

Review Cisco Networking for a $25 gift card