DNS Server/Alias Command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2001 07:56 PM - edited 03-08-2019 08:59 PM
Hello all!
Thanks in advance if you can help me figure this out.
Problem:
Everything was working perfectly until I decided to bring our DNS servers inside the firewall. At first I thought it would be fine because I was going to set up a completely separate DNS server for the internet addresses and another one for the internal addresses. This works great for address that are on the inside interface of the PIX, but this does not work well for addresses that are in the DMZ1 zone.
What is happening is people on the internet are getting my internal IP addresses instead of the real ones. It would seem that our alias command is changing the outgoing DNS packets to the internal ip address.
The problem IP addresses are these:
64.32.181.145
64.32.181.153
64.32.181.161
64.32.181.169
64.32.181.177
64.32.181.185
So this alias configuration below is causing a problem with outside people getting internal invalid ip addresses.
alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255
alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255
alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255
alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255
alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255
alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255
alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255
alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255
alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255
alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255
alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255
alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255
alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255
alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255
alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255
alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255
alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255
alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255
What I did to solve this problem as a interim messure was to remove these lines. This caused a new problem though.
alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255
alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255
alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255
alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255
alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255
alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255
Leaving me with:
alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255
alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255
alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255
alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255
alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255
alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255
alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255
alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255
alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255
alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255
alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255
alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255
The remaining alias commands are working as planned and are not changing the outside user ips to the internal ones. But since I removed the other alias commands our internal users are unable to get to the websites. The commands are removed allow internal users to get to the websites configured in the DMZ1.
Do you have any suggestions?
Bryan Reynolds
Obsidian Technologies Inc.dd
COMPLETE CONFIG
____________________________
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security20
nameif ethernet4 DMZ3 security30
nameif ethernet5 DMZ4 security40
enable password 9o8Ov69cdVzdxjvS encrypted
passwd 9o8Ov69cdVzdxjvS encrypted
hostname pix1
domain-name obsidian-tech.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no names
access-list acl_out permit tcp any host 64.32.181.195 eq www
access-list acl_out permit tcp any host 64.32.181.195 eq ftp
access-list acl_out permit tcp any host 64.32.181.195 eq ftp-data
access-list acl_out permit tcp any host 64.32.181.195 eq 8080
access-list acl_out permit tcp any host 64.32.181.145 eq www
access-list acl_out permit tcp any host 64.32.181.153 eq www
access-list acl_out permit tcp any host 64.32.181.161 eq www
access-list acl_out permit tcp any host 64.32.181.169 eq www
access-list acl_out permit tcp any host 64.32.181.177 eq www
access-list acl_out permit tcp any host 64.32.181.185 eq www
access-list acl_out permit tcp any host 64.32.181.193 eq pop3
access-list acl_out permit tcp any host 64.32.181.193 eq smtp
access-list acl_out permit tcp any host 64.32.181.194 eq 6667
access-list acl_out permit tcp any host 64.32.181.194 eq 7000
access-list acl_out permit tcp any host 64.32.181.196 eq www
access-list acl_out permit tcp any host 64.32.181.196 eq ftp
access-list acl_out permit tcp any host 64.32.181.196 eq ftp-data
access-list acl_out permit tcp any host 64.32.181.196 eq 8080
access-list acl_out permit tcp any host 64.32.181.196 eq 8081
access-list acl_out permit tcp any host 64.32.181.199 eq www
access-list acl_out permit tcp any host 64.32.181.197 eq www
access-list acl_out permit tcp any host 64.32.181.198 eq www
access-list acl_out permit tcp any any eq 6699
access-list acl_out permit udp any any eq 6257
access-list acl_out permit icmp any any
access-list acl_out permit gre any any
access-list acl_out permit tcp any host 64.32.181.196 eq 1723
access-list acl_out permit tcp any host 64.32.181.194 eq 7100
access-list acl_out permit tcp any host 64.32.181.202 eq domain
access-list acl_out permit udp any host 64.32.181.202 eq domain
access-list acl_out permit udp any host 64.32.181.203 eq domain
access-list acl_out permit tcp any host 64.32.181.203 eq domain
access-list acl_out permit tcp any host 64.32.181.200 eq 4747
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu DMZ4 1500
ip address outside 64.32.181.223 255.255.255.128
ip address inside 10.0.0.254 255.255.0.0
ip address DMZ1 10.1.0.254 255.255.0.0
ip address DMZ2 10.2.0.254 255.255.0.0
ip address DMZ3 10.3.0.254 255.255.0.0
ip address DMZ4 10.4.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address DMZ2 0.0.0.0
failover ip address DMZ3 0.0.0.0
failover ip address DMZ4 0.0.0.0
arp timeout 14400
global (outside) 1 64.32.181.205-64.32.181.220 netmask 255.255.255.0
global (outside) 1 64.32.181.221 netmask 255.255.255.0
global (DMZ1) 1 10.1.253.50-10.1.253.100 netmask 255.255.0.0
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
alias (inside) 10.0.1.193 64.32.181.193 255.255.255.255
alias (inside) 10.0.1.194 64.32.181.194 255.255.255.255
alias (inside) 10.0.1.195 64.32.181.195 255.255.255.255
alias (inside) 10.0.1.196 64.32.181.196 255.255.255.255
alias (inside) 10.0.1.197 64.32.181.197 255.255.255.255
alias (inside) 10.0.1.198 64.32.181.198 255.255.255.255
alias (inside) 10.0.1.199 64.32.181.199 255.255.255.255
alias (inside) 10.0.1.200 64.32.181.200 255.255.255.255
alias (inside) 10.0.1.201 64.32.181.201 255.255.255.255
alias (inside) 10.0.1.202 64.32.181.202 255.255.255.255
alias (inside) 10.0.1.203 64.32.181.203 255.255.255.255
alias (inside) 10.0.1.204 64.32.181.204 255.255.255.255
alias (inside) 64.32.181.145 10.1.0.145 255.255.255.255
alias (inside) 64.32.181.153 10.1.0.153 255.255.255.255
alias (inside) 64.32.181.161 10.1.0.161 255.255.255.255
alias (inside) 64.32.181.169 10.1.0.169 255.255.255.255
alias (inside) 64.32.181.177 10.1.0.177 255.255.255.255
alias (inside) 64.32.181.185 10.1.0.185 255.255.255.255
static (DMZ1,outside) 64.32.181.145 10.1.0.145 netmask 255.255.255.255 0 0
static (DMZ1,outside) 64.32.181.153 10.1.0.153 netmask 255.255.255.255 0 0
static (DMZ1,outside) 64.32.181.161 10.1.0.161 netmask 255.255.255.255 0 0
static (DMZ1,outside) 64.32.181.169 10.1.0.169 netmask 255.255.255.255 0 0
static (DMZ1,outside) 64.32.181.177 10.1.0.177 netmask 255.255.255.255 0 0
static (DMZ1,outside) 64.32.181.185 10.1.0.185 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.193 10.0.1.193 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.194 10.0.1.194 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.195 10.0.1.195 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.196 10.0.1.196 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.197 10.0.1.197 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.198 10.0.1.198 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.202 10.0.1.202 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.203 10.0.1.203 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.204 10.0.1.204 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.199 10.0.1.199 netmask 255.255.255.255 0 0
static (inside,outside) 64.32.181.200 10.0.1.200 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 64.32.181.222 1
timeout xlate 3:00:00
timeout conn 1:00:10 half-closed 0:10:00 udp 0:02:00 rpc 0:08:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 60
ssh timeout 60
terminal width 120
Cryptochecksum:6a1eab26fa7934e6de145c7ad44966db
- Labels:
-
Other Security Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2001 08:10 PM
Bryan,
My suggestion is as follow:
1) Remove all alias statements.
2) Have your internal DNS server respond to your internal clients with the real IP address of the servers.
3) Have the external DNS server respond with the outside IP address of the server (only those servers that need to be accessed from the outside world).
4) Place the external DNS server on a DMZ interface (preferable a seperate interface).
I hope this helps. Please let us know if you are looking for another solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2001 11:16 AM
That did it!
Exactly what you said worked like a charm.
I really appreciate it!
Bryan Reynolds
