PIX 515e, external DNS server and PAT

kholford · ‎11-13-2003

I don't know how to fix the problem of DNS not working through the PIX firewall. We have an internal DNS server and our ISP hosts external DNS servers.

Would this work? Apply an ACL on the Inside interface that looks like:

access-list 101 permit tcp 172.25.0.0 255.255.0.0 any eq www

access-list 101 permit tcp 172.25.0.0 255.255.0.0 any eq ftp

access-list 101 permit tcp 172.25.0.0 255.255.0.0 any eq telnet

access-list 101 permit tcp 172.25.0.0 255.255.0.0 any eq smtp

access-list 101 permit tcp 172.25.0.0 255.255.0.0 any eq domain

access-list 101 permit udp 172.25.0.0 255.255.0.0 any eq domain

access-list 101 permit ip 172.25.0.0 255.255.0.0 any

Is the ACL command to allow tcp and udp "eq domain" allowing TCP Zone Repeater, UDP Resolver requests and responses?

I'm also doing PAT on the outside interface for all outbound traffic (PAT only, no NATing).

kholford · ‎11-13-2003

I was configuring PAT to an address of xxx.xxx.45.5, but after checking with my ISP and the entries they have for us in their DNS servers they show an address of xxx.xxx.45.2. Hmmm. I'm going to try changing my PAT to use the 45.2 address and see it that solves my problem.

secnas · ‎12-02-2003

hi,

could you let me know if you resolved the problem as i struck up with the same?, I want to know how you resolved the DNS problem if so, becuase at my customer end i can't ping DNS hence no browsing ,I deployed lot of PIX es but never face such a problem, and never i explicitly permited the DNS , all other s work fine , only problem with this site,

error is

The Web site you are looking for is unavailable due to its identification configuration settings

"This error indicates that the gateway could not find an authoritative DNS server for the Web site you are trying to access. "

Need Assistance highly appreciate ur response

kholford · ‎12-02-2003

Well, I was doing a few things wrong. The first thing was putting an ACL on the inside interface. I didn't need to put an ACL on the inside interface since everything from the inside is permitted out by default. To test this I removed all ACL's on inside and outside interfaces.

The second thing was that all of our workstations were set to look at only our DNS servers and not our ISP DNS servers. To solve this I could either modify all of the workstations to have our internal DNS server ip address as the primary and the secondary DNS server ip address of our ISP. The second option was to have our DNS server send any requests that were not in it's list out to our ISP. That's what I did because we have over 1000 workstations and I didn't want to modify all of them.

The third thing I forgot to change was on the workstation in IE. It was sent to use a Proxy Server because our old firewall was doing Proxy Services, so I had to remove the setting to "Use a Proxy Server".

I hope this helps. Good luck.