cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
14
Replies

PIX AND DNS REVERSE LOOKUP PROBLEMS

rlowe26
Level 1
Level 1

I need help Ladies and Gentlemen. I have a PIX 5 15 w/failover. On one of my Networks, I have People that have to get to a certain .mil site, but when they attempt to hit certain Links off of it, they cant get to it. When I do a Reverse DNS Lookup Check, it tells me that it is unable to translate my IP Address to a host name, which it is reflecting my PAT Address on my PIX. Now, of course, if I get on one of my Outside DNS Servers, I can get to the Links with no problem. Furthermore, I have a DNS Entry on my outside DNS Server for my Global PAT Address, and it still does not translate.

I have tried everything on Cisco's site to fix this situation, to no avail.

This is a much needed item, but I also want to keep my network locked down, and yes I know I cant have my cake and eat it too, but any information/guidance on this would be greatly appreciated.

Can someone please help me with this one. I always try to do things myself, but this is one thing that is kicking my tail. Please Help!

14 Replies 14

mhussein
Level 4
Level 4

You need to configure a reverse lookup entry on your dns server for the PAT address. This type of dns entry is referred to as PTR record.

Example:

If your PAT dns entry is users.domain.com and the address is 192.168.7.8 , then on the dns server do the following:

- Check to see if you have a "7.168.192.in-addr.arpa" reverse lookup zone, if not then create it.

- Add entry for your ip address as follows(name, type, data):

8 PTR users.domain.com.

- wait for about a day or two for the dns to replicate globally, and then do a test. You can test this by asking a friend to do a "ping -a 192.168.7.8"(windoze) from their network, or use any proxy checking or traceroute web sites out there.

HTH,

Regards,

Mustafa

Mustafa,

I had already done that along time ago. It still does not work.

Ron

we do a lot of work with the DoD. what are the urls? the good ones and the bad ones. maybe i can help after i look at it. just as a fyi...the DoD does a lot of reverse proxy stuff, and they also have a lot of caching engines that do different things, but lets to a look.

let me know.

I know it has to be my Firewall. If Im on the outside DNS Server, I can get to all the Sites and Links. However, from the Inside of the Firewall. I cannot get to those certain Links.

additional information would be very helpful. reason being, i am kind of confused on this, and why you believe it is your firewall??? if you can get to certain .mil sites and then when you need to try and get to certain links off that site it doesn't work....right. are the sites you can get to and the ones you cannot in the same domain? meaning, are they all under (example) http://www.noway.mil. is the good site http://www.noway.mil and the links they need to get to http://www.noway.mil/notgoingtohappen/nochance.html?? or something like that, or are they completely different domains?? http://www.noway.mil and http://www.lastchance.mil??

as i said above additional information would be great, and i am not so sure this is pointing at your firewall, but more information is needed.

thanks.

I can get to www.noway.mil with no problem. Most of the Links within www.noway.mil I can get too, however, there are some that I cannot. It just hangs there. Now, If I go to one of my Outside DNS Servers and do the exact same thing, I have NO PROBLEMS...

just for testing have you tried to take a inside client and point it to the outside DNS to see if it works?

Yes, that does work, but for one Client ONLY. I did that with a STATIC Command on the PIX, pointing it to the Outside DNS Server Address. However, I cannot do multiple Static entries. I have numerous clients that need access to those specific Links.

Yes, that does work, but for one Client ONLY. I did that with a STATIC Command on the PIX, pointing it to the Outside DNS Server Address. However, I cannot do multiple Static entries. I have numerous clients that need access to those specific Links.

Just to verify your scenario, you have a PAT address as in:

global (outside) 1 7.7.7.7

and you have both an A and PTR dns records associated with the ip address that appears on the "global" command.

If that is the case then the problem is more likely dns server related.

Are you maintaining your own public DNS server? Is the subnet you are advetising larger than /27 bits mask?

Is the problem intermittent?

Please try any traceroute web sites such as:

http://network-tools.com/

and http://visualroute.visualware.com/

and see if your address is resolved.

if it isn't any trouble can you please paste your pix config (minus the sensitive info)? also, can you let me know which interface the clients/ systems are off of that aren't working? also, can you let me know which interface the internal dns is off of that these clients normally point to for dns?

thanks!

Outside Int 213.13.0.2

Inside Int 172.16.1.5

Global PAT Address 1 213.13.0.250

NAT 1 0.0.0.0 0.0.0.0

Like I said, my configs are correct.

well then if there correct there correct. i was only trying to get a better understanding, because i got confused when above you stated that you used a "STATIC" to point your client to the external DNS. i wasn't sure why you didn't use a combination of global, nat, and acls. i was under the impression that "STATIC" commands were only used to make exceptions in the pixes ASA.

good luck!

The Static entry was a Temporary Fix for ONE Client Only. I have multiple Clients that need access to those Links, and the One Client Access is not acceptable. Thanks for trying though. Ron

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: