cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
0
Helpful
5
Replies

Public DNS Server behind PIX 501

indynetman
Level 1
Level 1

I have two public accessible DNS servers that I am trying to put behind a PIX 501 to provide name resolution for the domains that we host. I can assign the public IP address to the WAN interface of the PIX and setup a static NAT to the internal address that has been assigned to the DNS server. I can run a sniffer and see there are lookup requests being passed the DNS serve from the PIX, but I am not seeing any responses from the DNS server or any non authoritative lookup requests being made.

Thank you for your help,

Tim

5 Replies 5

Fernando_Meza
Level 7
Level 7

Hi .. static NAt and DNS access to the external Ip address is all you need to allow lookups from the internet. If while sniffing the packets you are able to see DNS request from external addresses reaching your DNS server but not response back . then the issue is most likely the DNS server itself .. make sure the DNS services are up and running and also make sure the dafault gateway is properly configured.

I hope it helps .. please rate it if it does !!!

Both DNS servers work well when they are not behind the firewall. I will check with Microsoft to see if there is something that needs to be configured on the DNS when you are using NAT.

Thank you,

Tim

hi,

I think you need to use dns key word after the static command, to allow the dns proccess to work properly. for example

static(dmz,outside) external_ip internal_ip dns

hope it helpful.

Hi .. the dns parameter is used when you want re-write dns responses ( dns doctoring ). Please refer to the below link for explanation.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hi .. I suggets to mirror the port of one of the DNS servers and look at the packets using ethereal .. basically you will need to check as to whether dns request are reaching the server and if the server is sending the responses back ..

If the server is in fact sending responses back .. then the packets must be dropped in transit .. and then you can start looking at whatever is between the firewall and the dns server.

if the server is not sending responses back then the issue is the server

If the server is not receiving dns request at all from the Internet then make sure that the access list applied to the outside interface allows dns for the Public address you are using on your static NAT commands.

Just out of curiosity can you post the output of

show run | inc dns from your pix ..

Review Cisco Networking for a $25 gift card