Solved: PIX 501 DNS Resolution with static route

dylanvendlink · ‎02-12-2004

I am using a pix 501.

I have an internal DNS server behind this pix that uses my ISPs DNS servers to resolve external domains.

I now want to host a web site from the same server.

In order to allow external access to the web server I add the following:

access-list outside_in_http permit tcp any host A.B.C.D eq www

static (inside,outside) A.B.C.D L.M.N.O netmask 255.255.255.255 0 0

access-group outside_in_http in interface outside

this is all well and good and allows web access. The problem is that the server can no longer resolve DNS queries.

How can I allow my server to resolve DNS again in a secure way. I imagine this is quite simple to achieve but I am having great difficulty in finding the solution.

thanks in advance

Dylan

clark.d · ‎02-16-2004

On your server set dns IP to 67.38.230.69, then ping www.yahoo.com from command prompt....does that resovle?

View solution in original post

jose.couto · ‎02-12-2004

Dylan,

Is there any access-list applied in the inside interface? Have you tried to 'clear xlate' after setting the static? Have you searched PIX's logs for connection rejections?

Regards.

baileja · ‎02-12-2004

Do you have the following in your acl?

access-list outside_in_http permit udp any host A.B.C.D eq 53

This will allow DNS queries from your inside box.

dylanvendlink · ‎02-13-2004

I have tried the following which I believe should achieve the same thing - or am i missing something here?

names

name X.X.X.X eircomdns1

name L.M.N.O webserver

access-list outside_access_in permit tcp any host A.B.C.D eq www

access-list outside_access_in permit tcp host eircomdns1 host A.B.C.D eq domain

access-list outside_access_in permit udp host eircomdns1 host A.B.C.D eq domain

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) A.B.C.D webserver netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

clark.d · ‎02-13-2004

If the inside web server can't resovle external, verify DNS is set correctly on inside server....it should be pointed to and outside DNS server or have forwarders turned on. If your web server is pointed to itself for DNS make sure to define a forwarder or make sure it has a root hints file.

dylanvendlink · ‎02-13-2004

dns resolution works ok on the inside server until i add the static route to allow inbound http access

baileja · ‎02-13-2004

I am a little confused here, I though your DNS and webserver where on the same box yet you have seperate statements defining them? Also, is your dns having problem resolving outside addresses or is it having problem resolving external queries for inside addresses? The second and third ACL line you have listed allows dns queries originating from outside. It would be much more helpful if you posted your entire config, your orginal posting had only one line and this one only has three to your acl. I think we can verify your config if it were posted.

dylanvendlink · ‎02-13-2004

sorry about that

I changed the naming when reconfiguring, I will post entire config in follow up to my original message.

clark.d · ‎02-12-2004

Who can't resovle?? Th internal web server can't resovle external addresses or the outside can't resovle web server address?

dylanvendlink · ‎02-13-2004

The internal wev server cant resolve external addresses.

dylanvendlink · ‎02-13-2004

I am including my full config as it currently stands.

I have taken out the rules allowing udp & tcp connections from the external dns servers as I only want to allow the following:

1) all inside access out (default rule)

2) http access in to my web server (which also happens to be my dns server) from outside

3) my internal server (web & dns) needs to resolve dns by forwarding dns lookups to my ISPs servers.

The problem is that when I put in the static and create the access-list and access-group to allow incoming http access then my DNS lookups stop working

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXX encrypted

passwd XXX encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name X.X.X.X eircomdns1

name X.X.X.X eircomdns2

name L.M.N.O webserver

access-list outside_access_in permit tcp any host A.B.C.D eq www

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging trap warnings

logging host inside webserver

mtu outside 1500

mtu inside 1500

ip address outside A.B.C.E 255.255.255.0

ip address inside L.M.N.P 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location webserver 255.255.255.255 inside

pdm location eircomdns1 255.255.255.255 outside

pdm location eircomdns2 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) A.B.C.D webserver netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 L.M.N.Q 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http A.B.C.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet A.B.C.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address XXXXXX-XXXXXX inside

dhcpd dns eircomdns1 eircomdns2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain vendlink.internal

dhcpd auto_config outside

dhcpd enable inside

username admin password XXXX encrypted privilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

jmia · ‎02-13-2004

Hi..

Have you got any syslog messages that you can provide?

If you haven't then do:

In config mode -

>logging on

>logging buffer debug

>sho logging

Please post the results,

Thanks - Jay.

dylanvendlink · ‎02-13-2004

710005: UDP request discarded from 192.168.2.9/138 to outside:192.168.2.255/netb

ios-dgm

302016: Teardown UDP connection 58867 for outside:159.134.237.6/53 to inside:192

.168.1.20/1069 duration 0:02:01 bytes 36

106015: Deny TCP (no connection) from 216.155.193.154/25 to 192.168.2.10/1085 fl

ags FIN PSH ACK on interface outside

302015: Built outbound UDP connection 58879 for outside:159.134.237.6/53 (159.13

4.237.6/53) to inside:192.168.1.20/1069 (192.168.2.10/1069)

305012: Teardown dynamic UDP translation from inside:192.168.1.34/1033 to outsid

e:192.168.2.3/20765 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/851 to outside

:192.168.2.3/658 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3153 to outsid

e:192.168.2.3/20766 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/218 to outside

:192.168.2.3/215 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3154 to outsid

e:192.168.2.3/20767 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/219 to outside

:192.168.2.3/216 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/3155 to outsid

e:192.168.2.3/20768 duration 0:00:31

305012: Teardown dynamic UDP translation from inside:192.168.1.34/220 to outside

:192.168.2.3/217 duration 0:00:31

baileja · ‎02-13-2004

try adding the following command to enable DNS Guard. This may solve your problem (what OS is your DNS server, I am assuming windows 2003)

fixup protocol dns maximum-length 512

Read the following command for details.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf

dylanvendlink · ‎02-16-2004

fixup protocol dns maximum-length 512

gives me a "bad protocol" error

also the fixup command seems only to support the following on the pix

Usage: [no] fixup protocol [] [-]

I have also tried fixup protocol domain maximum-length 512

to which im told maximum-length is a bad port number

My server is indeed 2003 however this behaviour is also evident when i substitute the addresses of my PC instead of the server, the PC is running XP professional.

I have run the following command on the server that should ensure that DNS queries do nbot exeed 512 bytes dnscmd /config /enableednsprobes 0