Re: Pass DNS from DMZ to Inside

j.fielder · ‎07-15-2003

Forgive my ignorance, I am new to the PIX firewall configuration. Here's what I'm trying to do. I have a proxy server (Microsoft ISA Server) in my DMZ with an address of 192.168.2.2. My DMZ interface address is 192.168.2.1. My Inside interface has an address of 172.16.1.1 and the DNS server on the Inside network is 172.16.40.140.

How can I set it so the server in the DMZ queries the DNS server on the inside network? Any help is greatly appreciated.

Jo

jmia · ‎07-15-2003

Hello Jo,

Please look at the following two links and see if this helps you.

http://www.cisco.com/warp/public/110/mailserver_dmz.html

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration#Software_Samples_and_Tips

Hope this helps -

j.fielder · ‎07-15-2003

I've actually looked at both of these articles already but I still couldn't get it to work. I believe the statement I need is static (inside,dmz) and then the ip's but I'm not sure how it is suppose to be structured. Any other ideas?

Thanks.

Jo

jmia · ‎07-15-2003

Jo,

What you are looking for is this:

> static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Have you got NAT running, if so, then when inside clients tries to access a device on the dmz interface, it will not have its address translated because of the above static cmd.

Hope this helps - Let me know how you get on.

Jay

j.fielder · ‎07-15-2003

So this will allow one way access from my dmz server to the dns server on the inside network right? I assume I have to set an access list as well in order to allow port 53 access?

Jo

jmia · ‎07-15-2003

Jo,

You are correct - Hope this helps.

Jay

jmia · ‎07-15-2003

Jo,

..Also, do 'clear xlate' after the changes to make the new translation active.

Thanks -

Jay

david.kane · ‎07-15-2003

Jo,

You need to configure two things for traffic to flow through the PIX, regardless of the direction. Of course the interface setup, routing, and other stuff is needed as well, but I am only addressing this specific query.

First the PIX needs an address translation rule, which can be either a "static" or a "global/nat" depending on the requirement and situation.

Secondly the PIX needs a security rule to permit the traffic, which can be the default "traffic from a higher security interface can pass to a lower security interface" rule or a ACL/conduit (conduits are not Cisco recommended.

In your case you will need to configure a static adderss translation for the DNS server on the inside netwrok. Now you can create a security rule that will allow the proxy server to query the DNS server. A stab at some relevant config lines is below, but you will have to read up on the commands to fully understand thier implication:

static (inside,DMZ) 172.16.40.140 172.16.40.140 255.255.255.255 0 0

access-list dmzacl permit udp host 192.168.2.2 host 172.16.40.140 eq domain

access-list dmzacl permit tcp host 192.168.2.2 host 172.16.40.140 eq domain

access-group dmzacl in interface DMZ

Now the first line creates the static that preserved the DNS servers IP address. The second and third line create an ACL that permits the proxy server to establish DNS communitcations with the DNS server. And the fourth line applies the ACL to the DMZA interface.

A quick cavet. I am just grappling with ACLs myself, having used the conduit command instead in the past. So I cannot fully guarantee that the ACL will have any other adverse effect, read up on them and decide for yourself. I can however be sure that if you replace lines 3,4, and 5 with the following two conduits it will work (until Cisoc retire the conduit command):

conduit permit udp host 172.16.40.140 eq domain host 192.168.2.2

conduit permit tcp host 172.16.40.140 eq domain host 192.168.2.2

Hope that helps,

David