Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
2
Replies

DNS Server/Alias Command?

bryanr
Level 1
Level 1

‎10-28-2001 07:56 PM - edited ‎03-08-2019 08:59 PM

Hello all!

Thanks in advance if you can help me figure this out.

Problem:

Everything was working perfectly until I decided to bring our DNS servers inside the firewall. At first I thought it would be fine because I was going to set up a completely separate DNS server for the internet addresses and another one for the internal addresses. This works great for address that are on the inside interface of the PIX, but this does not work well for addresses that are in the DMZ1 zone.

What is happening is people on the internet are getting my internal IP addresses instead of the real ones. It would seem that our alias command is changing the outgoing DNS packets to the internal ip address.

The problem IP addresses are these:

64.32.181.145

64.32.181.153

64.32.181.161

64.32.181.169

64.32.181.177

64.32.181.185

So this alias configuration below is causing a problem with outside people getting internal invalid ip addresses.

alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255

alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255

alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255

alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255

alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255

alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255

alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255

alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255

alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255

alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255

alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255

alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255

alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255

alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255

alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255

alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255

alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255

alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255

What I did to solve this problem as a interim messure was to remove these lines. This caused a new problem though.

alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255

alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255

alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255

alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255

alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255

alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255

Leaving me with:

alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255

alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255

alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255

alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255

alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255

alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255

alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255

alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255

alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255

alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255

alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255

alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255

The remaining alias commands are working as planned and are not changing the outside user ips to the internal ones. But since I removed the other alias commands our internal users are unable to get to the websites. The commands are removed allow internal users to get to the websites configured in the DMZ1.

Do you have any suggestions?

Bryan Reynolds

Obsidian Technologies Inc.dd

COMPLETE CONFIG

____________________________

PIX Version 5.3(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security10

nameif ethernet3 DMZ2 security20

nameif ethernet4 DMZ3 security30

nameif ethernet5 DMZ4 security40

enable password 9o8Ov69cdVzdxjvS encrypted

passwd 9o8Ov69cdVzdxjvS encrypted

hostname pix1

domain-name obsidian-tech.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

no names

access-list acl_out permit tcp any host 64.32.181.195 eq www

access-list acl_out permit tcp any host 64.32.181.195 eq ftp

access-list acl_out permit tcp any host 64.32.181.195 eq ftp-data

access-list acl_out permit tcp any host 64.32.181.195 eq 8080

access-list acl_out permit tcp any host 64.32.181.145 eq www

access-list acl_out permit tcp any host 64.32.181.153 eq www

access-list acl_out permit tcp any host 64.32.181.161 eq www

access-list acl_out permit tcp any host 64.32.181.169 eq www

access-list acl_out permit tcp any host 64.32.181.177 eq www

access-list acl_out permit tcp any host 64.32.181.185 eq www

access-list acl_out permit tcp any host 64.32.181.193 eq pop3

access-list acl_out permit tcp any host 64.32.181.193 eq smtp

access-list acl_out permit tcp any host 64.32.181.194 eq 6667

access-list acl_out permit tcp any host 64.32.181.194 eq 7000

access-list acl_out permit tcp any host 64.32.181.196 eq www

access-list acl_out permit tcp any host 64.32.181.196 eq ftp

access-list acl_out permit tcp any host 64.32.181.196 eq ftp-data

access-list acl_out permit tcp any host 64.32.181.196 eq 8080

access-list acl_out permit tcp any host 64.32.181.196 eq 8081

access-list acl_out permit tcp any host 64.32.181.199 eq www

access-list acl_out permit tcp any host 64.32.181.197 eq www

access-list acl_out permit tcp any host 64.32.181.198 eq www

access-list acl_out permit tcp any any eq 6699

access-list acl_out permit udp any any eq 6257

access-list acl_out permit icmp any any

access-list acl_out permit gre any any

access-list acl_out permit tcp any host 64.32.181.196 eq 1723

access-list acl_out permit tcp any host 64.32.181.194 eq 7100

access-list acl_out permit tcp any host 64.32.181.202 eq domain

access-list acl_out permit udp any host 64.32.181.202 eq domain

access-list acl_out permit udp any host 64.32.181.203 eq domain

access-list acl_out permit tcp any host 64.32.181.203 eq domain

access-list acl_out permit tcp any host 64.32.181.200 eq 4747

pager lines 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

mtu outside 1500

mtu inside 1500

mtu DMZ1 1500

mtu DMZ2 1500

mtu DMZ3 1500

mtu DMZ4 1500

ip address outside 64.32.181.223 255.255.255.128

ip address inside 10.0.0.254 255.255.0.0

ip address DMZ1 10.1.0.254 255.255.0.0

ip address DMZ2 10.2.0.254 255.255.0.0

ip address DMZ3 10.3.0.254 255.255.0.0

ip address DMZ4 10.4.0.254 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address DMZ1 0.0.0.0

failover ip address DMZ2 0.0.0.0

failover ip address DMZ3 0.0.0.0

failover ip address DMZ4 0.0.0.0

arp timeout 14400

global (outside) 1 64.32.181.205-64.32.181.220 netmask 255.255.255.0

global (outside) 1 64.32.181.221 netmask 255.255.255.0

global (DMZ1) 1 10.1.253.50-10.1.253.100 netmask 255.255.0.0

nat (inside) 1 10.0.0.0 255.255.0.0 0 0

alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255

alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255

alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255

alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255

alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255

alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255

alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255

alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255

alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255

alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255

alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255

alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255

alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255

alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255

alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255

alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255

alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255

alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255

static (DMZ1,outside) 64.32.181.145 10.1.0.145 netmask 255.255.255.255 0 0

static (DMZ1,outside) 64.32.181.153 10.1.0.153 netmask 255.255.255.255 0 0

static (DMZ1,outside) 64.32.181.161 10.1.0.161 netmask 255.255.255.255 0 0

static (DMZ1,outside) 64.32.181.169 10.1.0.169 netmask 255.255.255.255 0 0

static (DMZ1,outside) 64.32.181.177 10.1.0.177 netmask 255.255.255.255 0 0

static (DMZ1,outside) 64.32.181.185 10.1.0.185 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.193 10.0.1.193 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.194 10.0.1.194 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.195 10.0.1.195 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.196 10.0.1.196 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.197 10.0.1.197 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.198 10.0.1.198 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.202 10.0.1.202 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.203 10.0.1.203 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.204 10.0.1.204 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.199 10.0.1.199 netmask 255.255.255.255 0 0

static (inside,outside) 64.32.181.200 10.0.1.200 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 64.32.181.222 1

timeout xlate 3:00:00

timeout conn 1:00:10 half-closed 0:10:00 udp 0:02:00 rpc 0:08:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 60

ssh timeout 60

terminal width 120

Cryptochecksum:6a1eab26fa7934e6de145c7ad44966db

Labels:
0 Helpful
2 Replies 2

rrbleeker
Level 1
Level 1

‎10-29-2001 08:10 PM

Bryan,

My suggestion is as follow:

1) Remove all alias statements.

2) Have your internal DNS server respond to your internal clients with the real IP address of the servers.

3) Have the external DNS server respond with the outside IP address of the server (only those servers that need to be accessed from the outside world).

4) Place the external DNS server on a DMZ interface (preferable a seperate interface).

I hope this helps. Please let us know if you are looking for another solution.

0 Helpful

bryanr
Level 1
Level 1
In response to rrbleeker

‎10-30-2001 11:16 AM

That did it!

Exactly what you said worked like a charm.

I really appreciate it!

Bryan Reynolds

0 Helpful
Customers Also Viewed These Support Documents