Re: PIX DMZ contains both outside DNS and e-mail server, doesn't

mismtk2007 · ‎11-08-2007

I have a pair of failover Pix 515e running software (8.02) and I have 6 interfaces. Outside, inside, inside2, DMZ1, DMZ2, failover.

DMZ2 contains our external DNS server that services DNS requests for our domain and several client's domains that we host. We recently moved a client's dedicated server to DMZ2 and now DNS doesn't work between that server and our DNS server because they are always looking to route to the external IP but they are on the same switch and interface of the Pix.

What I need to know is how can I either route the traffic so it doesn't try to go out and back in or some solution for servicing DNS requests to outside and locally differently. Any help is greatly appreciated.

acomiskey · ‎11-08-2007

I've read your post a few times and am still a little confused. Could you rephrase what the actual problem is?

mismtk2007 · ‎11-08-2007

Sure. I have an external DNS server on DMZ2 that services outside DNS requests. So a DNS request comes in for ourcompany.com and we reply with x.y.z.123 (an externally routable IP). That's all working as it should.

We recently moved a web/email server to DMZ2 so it's now in the same switch as the DNS server mentioned above and when it tries to query ourcompany.com to send email to us it fails because it is trying to connect to the outside IP of the server instead of the 10.0.x.x IP. How can I make this work?

acomiskey · ‎11-08-2007

Is your mail server also on DMZ2?

acomiskey · ‎11-08-2007

If so, you should be able to accomplish this with hairpinning. This will allow the traffic to bounce off the DMZ2 interface and be destination nat'd.

If your mail server ip's are as follows...

public ip = x.y.z.123

private ip = 10.0.x.x

then...

same-secrity-traffic permit intra-interface

static (DMZ2,DMZ2) x.y.z.123 10.0.x.x netmask 255.255.255.255

global (DMZ2) 10 interface

nat (DMZ2) 10 0 0

Let me know if that helps.

mismtk2007 · ‎11-08-2007

I added the statics for both systems on DMZ2:

static (DMZ2,DMZ2)x.y.z.123 10.0.x.123 netmask 255.255.255.255

static (DMZ2,DMZ2)x.y.z.8 10.0.x.8 netmask 255.255.255.255

And now I'm seeing deny errors, something about an ACL:

2 106001 10.0.x.8 x.y.z.123 Inbound TCP connection denied from 10.0.x.8/33773 to x.y.z.123/25 flags SYN on interface DMZ2

acomiskey · ‎11-08-2007

Do you want to post more of the config?

mismtk2007 · ‎11-08-2007

Sure, what part do you need?

acomiskey · ‎11-08-2007

I'm not sure, haha.

mismtk2007 · ‎11-08-2007

Here's what I think is relevent:

global (outside) 200 interface

global (inside) 200 interface

global (DMZ1) 200 interface

global (inside2) 200 interface

global (DMZ2) 200 interface

nat (inside) 200 192.168.x.0 255.255.0.0

nat (DMZ1) 200 10.0.x.0 255.255.255.0

nat (inside2) 0 access-list inside2_outbound_nat0_acl

nat (inside2) 200 10.0.x.0 255.255.255.0

access-list DMZ2_access_in extended permit tcp host 10.0.x.8 host any eq smtp

access-list DMZ2_access_in extended permit tcp host 10.0.x.123 host any eq smtp

access-list outside_access_in extended permit tcp any host x.y.z.8 eq smtp

access-list outside_access_in extended permit tcp any host x.y.z.123 eq smtp

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group DMZ1_access_in in interface DMZ1

access-group inside2_access_in in interface inside2

access-group DMZ2_access_in in interface DMZ2

static (DMZ2,outside) x.y.z.8 10.0.x.8 netmask 255.255.255.255

static (DMZ2,outside) x.y.z.123 10.0.x.123 netmask 255.255.255.255

static (DMZ2,DMZ2) x.y.z.8 10.0.x.8 netmask 255.255.255.255

static (DMZ2,DMZ2) x.y.z.123 10.0.x.123 netmask 255.255.255.255

acomiskey · ‎11-08-2007

Did you add...

same-security-traffic permit intra-interface

Also, did you try it with..

nat (DMZ2) 200 0 0

mismtk2007 · ‎11-08-2007

I did not add same-security-traffic permit intra-interface because I'm not sure what that will do to the rest of my traffic. Is there a way to only apply that access to DMZ2 and not all interfaces?

I did not do nat (DMZ2) 200 0 0 what will that do?

acomiskey · ‎11-08-2007

same-security-traffic permit intra-interface should not affect other traffic. It only allows traffic to enter and exit the same interface, which is what this situation needs. The packet will arrive at the DMZ2 interface with a desination address of x.y.z.123. The destination nat statement will change that destination address to 10.0.x.123.

IMPORTANT QUESTION: I asked this before and you didn't answer. Is 10.0.x.123 also on DMZ2? If not, forget everything I put above.

From the look of your config if looks like 10.0.x.123 is on DMZ1?

If that is the case then you really only need...

static (DMZ2,DMZ1) x.y.z.8 10.0.x.8 netmask 255.255.255.255

static (DMZ2,DMZ1) x.y.z.123 10.0.x.123 netmask 255.255.255.255

mismtk2007 · ‎11-09-2007

Sorry, to answer your question yes both of these systems are on DMZ2. I will give this a try and let you know how it goes, thanks for your help so far!

mismtk2007 · ‎11-09-2007

OK, this is mostly working now, the only problem I have is with DNS queries. The error I get is:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I know it has something to do with DNS inspection but I'm not sure what. Here's my inspection config:

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 513

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect ftp

PIX DMZ contains both outside DNS and e-mail server, doesn't work.