Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
5
Helpful
5
Replies

PIX 515E Domain Resolution Issues

b_burke-gtc
Level 1
Level 1

‎08-19-2004 11:22 AM - edited ‎02-20-2020 11:34 PM

I have set up a PIX 515E on our network to replace our previous firewall/router. After getting everything configured I seemed to have run into an issue (I'm sure it is very simple, but I am new to Cisco products). My webserver as well as mailserver are both on the internal network. None of the internal hosts are able to resolve the servers' domain names. From outside, access is flawless. From inside, no resolution on the domain names for the two internal servers. I am in the middle of setting up the ipsec tunnel, so there is a bunch of garbage there that isn't really important to the issue.

As I said, I'm pretty sure this is a simple, newbie fix... but as I am still new to the product line, I have not the experience to fix it myself.

This is the running configuration of my PIX (it is attached, as the message was too long). All of the numbers, names, etc. have been changed, but you will get the idea.

Any help would be greatly appreciated.

Preview file
4 KB
0 Helpful
5 Replies 5

piseli
Level 1
Level 1

‎08-19-2004 11:50 AM

If I understand you right you try to connect your Mail and webServer with your public IP address. As

the DNS entry is a public IP.

This is not possible with the PIX, you cannot go from your internal private network and leave to the Internet and come back again via the same (outside) interface.

The way to do that is connecting to your Email server with the internal (private) IP.

Here some comments to your config.

----------------------------------

Remove the line:

global (inside) 10 192.168.1.1-192.168.1.253 netmask 255.255.255.0

I do not see the purpose of this line.

You allow all traffic from the internet !!!

access-list outside_access_in permit ip any any

access-list outside_access_in permit tcp any any

welcome to all hackers and crackers.

Better put something like:

access-list aoutside_access_in permit udp host VPNPeer interface outside eq isakmp

access-list outside_access_in permit esp host VPNPeer interface outside

access-list outside_access_in permit ah host VPNPeer interface outside

access-list outside_access_in permit tcp any interface outside eq 80

access-list outside_access_in permit tcp any interface outside eq 25

add all other protocols and ports that you need !

sincerly

Patrick

0 Helpful

b_burke-gtc
Level 1
Level 1
In response to piseli

‎08-19-2004 12:11 PM

Thank you for the prompt reply. Much of the information there was set up through the initial wizard (as well as the VPN wizard). I will take your comments regarding the access list and apply them immediately (I should have noticed this access list application... the PDM leaves something to be desired, that is for sure). As for the global, that was something that the ISP set up when they came to give me some help setting up the PIX (I had some issues, which turned out to be a corrupted IOS initially installed on the device along with an abnormal configuration for the fiber connection that we use).

I think you are correct in what I am trying to do. I will give a more simplified explaination (I kind of jumbled around there, I see now that I have read back over it).

I have two servers:

http://www.mydomain.com

mail.mydomain.com

I can access these from outside the network without problem (since I have the routes set up and access lists according).

If I try to use one of the hosts to access either http://www.mydomain.com or mail.mydomain.com it fails. If I try to go to the public IP it fails.

I am unable to resolve the URL to an IP.

I created a temporary workaround by modifying the hosts' host files in order to redirect them to the local 192 addresses. Is this the ONLY way to fix this? I host internal DNS (primary) as well as use a 3rd party DNS server (secondary).

Will I just have to modify the DNS entries locally? Or will I have to modify the hosts' files (I really don't want the employees to have to use the local IP as opposed to our domain name. Our previous firewall permitted this, this one does not seem to allow it. Am I understanding correctly that a 500 dollar firewall provided a solution that the PIX series does not? I only switched to the PIX for VPN termination...

0 Helpful

piseli
Level 1
Level 1
In response to b_burke-gtc

‎08-20-2004 06:14 AM

Work arround one:

You could use an internal DNS server to redirect your www.yourdomain.com to the internal IP address 192.x.x.x.

Workarrounf two use the alias command:

See:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255

!--- This command sets up DNS Doctoring. It is initiated from the clients in

!--- the "inside" network. It watches for DNS replies that contain

!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 10.10.10.10

!--- address in the "DNS reply" sent to the client PC.

Cisco PIX has just another architecture that you have to deal with. Don't forget that you do not have a Vulberable OS under the PIX as other Firewall have, it is easy to upgarde....

You do not spent a couple of hours to install the OS.

sincerly

Patrick

a.awan
Level 4
Level 4
In response to piseli

‎08-20-2004 06:36 AM

The alias command probably will not be of use if the DNS server resides on the same side of the PIX as the internal clients. Moreover i have heard that alias command is being phased out. The newer recommendation is to use the dns keyword in your static translation for your webserver. The catch here is that if the DNS resides on the inside interface then you have to setup your DNS to resolve requests to the private IP address and let the PIX handle the translation to public ip address for any DNS replies to public clients.

static (inside,outside) dns

You probably would want to test it out before deploying it in production thoough.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card