Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1997
Views
0
Helpful
0
Comments

PIX Firewall internal hosts are unable to browse to an internal Web server by name with external DNS

TCC_2
Level 10
Level 10

‎06-22-2009 05:06 PM - edited ‎03-08-2019 06:21 PM

Core issue

Hosts on the internal LAN are unable to browse to the internal server by the Domain Name System (DNS) name of the server. However, hosts are able to browse by IP address. The rules of TCP do not allow the inside users to access the server. However there are workarounds for this issue. 

For example, imagine that the real IP address of the Web server is 10.10.10.10 and public address is 99.99.99.99. DNS resolves 99.99.99.99 to www.mydomain.com. If the inside host (for example, 10.10.10.25) attempts to go to www.mydomain.com, the browser resolves that to 99.99.99.99. Then the browser sends that packet off to the PIX Firewall, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x. It therefore assumes that packet is not intended for it but instead a directly connected host, and drops this packet.

To get around this issue, the inside host either must resolve www.mydomain.com to its real 10.10.10.10 address or the outside segment must be taken off the 99.99.99.x network. In this way, the router can be configured to route this packet back to the PIX.

If the DNS resides outside the PIX (or across one of its DMZs), issue the alias command on the PIX to fix the DNS packet and make it resolve to the 10.10.10.10 address. Make sure any PCs are rebooted to flush the DNS cache after this change is made.

Note: Ping www.mydomain.com before and after the alias command is issued to make sure the resolution changes from the 99.99.99.99 to 10.10.10.10 address.

Resolution

This is a sample network topology:

INTERNET------DNS Server on the outside of PIX
        ' 
        '     
        ' 
(Oustside of PIX)
CISCO PIX FIREWALL
(Inside of PIX)
        ' 
        ' 
---------------------
    '              '            
    '              '            
CLIENT           SERVER

In this example, a static translation exists in the PIX for the internal Web server to be accessible from the Internet. The external DNS server returns the public IP address of the internal server.

The DNS replies from the external DNS server must be modified to return the internal address of the server, instead of the external (global) address.

If the PIX runs PIX software version 6.2 or later, add the keyword dns to the end of the static statement associated with the server. This causes the PIX to modify the DNS reply packets with the internal IP address of the server.

This is an example:

static (inside,outside) server_public_address server_private_address dns

If the PIX is runs a software version earlier than 6.2, then the alias command must be issued instead:

alias (inside) server_private_address server_public_address netmask 255.255.255.255

For more information on DNS fixup in the PIX, refer to the reference information on the static and alias commands.

Note: DNS Doctoring cannot be used while Port Redirection is in use.

 

For details, refer toCisco Secure PIX Firewall Frequently Asked Questions and Understanding the alias Command for the Cisco Secure PIX Firewall.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents