01-06-2008 05:47 PM - edited 03-11-2019 04:44 AM
Currently I have a DNS server running behind a PIX 501. I can ping the servers external IP and everything. My question is do I have to NAT the local IP of the DNS server to the static external IP for DNS to work? I am trying to set this up for external webhosting use.
Thanks!
01-06-2008 08:03 PM
Hi .. if you are providing DNS resolution on your DNS server for requests coming from the Internet .. yes you need to create a static NAT or port forwarding (if you only have one public IP address used by the firewall). Ans also you need to allow that access to the access list applied to the outiside interface. i.e
Port forwarding using the external IP of the firewall:
static (inside,outside) udp interface PrivateDNS_IP 53 netmask 255.255.255.255
access-list Outside_In permit udp any interface outside eq 53
access-group Outside_In in interface outside
OR
Static NAT:
static (inside,outside) PublicDNS_IP PrivateDNS_IP netmask 255.255.255.255
access-list Outside_In permit udp any PublicDNS_IP eq 53
access-group Outside_In in interface outside
NOTE: if the real IP address of the DNS server is also a Public IP address then IP address you type in the static command will be the same .. i.e
static (inside,outside) PublicDNS_IP PublicDNS_IP netmask 255.255.255.255
I hope it helps .. please rate it if it does !!!
01-06-2008 08:06 PM
Thanks for the response, I will give that a try tomorrow!
01-06-2008 08:14 PM
Quick question. If I have the inside interface of the PIX set for a local IP, could I still use the static NAT with the DNS server using an external IP?
For instance like you said:
static (inside,outside) 74.xx.xx.35 74.xx.xx.35 netmask 255.255.255.255
even if the following is set:
ip address outside 74.xx.xx.36 255.255.255.248
ip address inside 10.xx.xx.81 255.0.0.0
Thanks for the help!
01-07-2008 12:26 PM
fernando_meza stated that you would have your static command as follows:
static (inside,outside) 74.xx.xx.35 10.xx.xx.xx netmask 255.255.255.255
the 10.xx.xx.xx is the inside (local) address of your DNS server.
01-07-2008 03:49 PM
Okay let me word this differently... Is there any way to use external IP addresses on the servers behind the PIX? (No local IP's involved)
Thanks for the help.
01-07-2008 09:15 PM
Hi .. First of all you need to make sure that the IP addresses (firewall and DNS server) don't overlap .. meaning they belong to two separate segments. The static NAT part (as you mentioned) from the configuration point of view it will be OK HOWEVER, the firewall needs to know the next hop to 74.X.X.35 as it only knows the directed connected networks by default. In which case you will need another device behind the firewall -such a router- for this purpose. What you are trying to achieve requires a firewall with at least 3 interfaces and/or that supports VLANs. Unfortunately the 501 limits the creation of two segments only (inside and outside). Alternatively you can have two 501 and create a DMZ segments between the two.
Internet ->PublicFirewall<-DMZ segment-> PrivateFirewall-> Inside Network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide