resolving URL's from DMZ

Unanswered Question
Mar 1st, 2007

I have a pix firewall (515e) and a windows computer on the DMZ that has it's default DNS pointing to a server on the inside allowing connection to key computers on the inside. I need to connect to the internet from this DMZ computer as well on the outside but unfortunately I can't resolve any URL's. Any ideas? thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 03/01/2007 - 13:35

Either use external dns for dmz machines or write an acl allowing dns traffic from dmz to inside dns servers.

boondocker Thu, 03/01/2007 - 14:15

If I use an external dns (set the computers default dns to point to the outside dns server), I will loose dns resolution to the inside computers. I need to resolve dns both ways.

Jon Marshall Thu, 03/01/2007 - 14:30

Hi

How many of the key systems does the server in the DMZ need to talk to. Hopefully not too many :-)

If it is a few key systems you could use the local hosts file for these servers and then point your windows server to DNS servers on the Internet for resolution of all other servers.

It's not a pretty solution and it depends on how many servers you need to talk to on the inside.

HTH

Jon

boondocker Fri, 03/02/2007 - 10:34

Thanks for the replies...unfortunately using hosts files still doesn't work...seems to get confused and net result is that the focus appears to be on the gateway setting.

acomiskey Fri, 03/02/2007 - 10:42

Host files get checked before resolving to dns server. What do you mean by "seems to get confused and net result is that the focus appears to be on the gateway setting."

boondocker Fri, 03/02/2007 - 11:10

When I point my dmz computers default gateway to the outside DNS, internet access works fine. With hosts file setup with all my inside hosts I'm having problems connecting to my DC (which is on the inside). When I change my dmz computers default gateway to the inside DNS and disable the hosts file, i cannot connect to the outside internet but I have full access to the DC. It's sounds pretty straight forward and I figured it would work ...not sure if I'm doing something wrong here.

acomiskey Fri, 03/02/2007 - 11:22

what does your access-list look like that is applied "in interface dmz"?

boondocker Fri, 03/02/2007 - 11:32

My Inside security level = 100

My DMZ security level = 100

My Outside security level = 0

access-list DMZ_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp any any

access-list OUTSIDE_access_in extended permit tcp any any eq sqlnet

access-list OUTSIDE_access_in extended permit tcp any any eq 522

access-list OUTSIDE_access_in extended permit tcp any any eq 1731

access-list OUTSIDE_access_in extended permit tcp any any eq 1503

access-list OUTSIDE_access_in extended permit tcp any any eq ldap

access-list OUTSIDE_access_in extended permit tcp any any eq h323

access-list OUTSIDE_access_in extended permit tcp any any eq 3389

acomiskey Fri, 03/02/2007 - 11:34

If you want to allow dmz machines to access inside machines, it has to be permitted in your DMZ_access-in acl. For instance, dns.

access-list DMZ_access_in extended permit udp any host eq 53

boondocker Fri, 03/02/2007 - 11:37

Does my access level of 100 for both dmz and inside not allow free flow of traffic without acl?

acomiskey Fri, 03/02/2007 - 11:40

oh, i skimmed over that. It depends on what code your pix is, 7 will allow it, 6 will not.

boondocker Fri, 03/02/2007 - 11:40

...also, when I'm setup this way I can still connect to all inside computers including my DNS.

acomiskey Fri, 03/02/2007 - 11:46

So, everything works fine but you can't get to the internet? Are these windows machines? Do you know how to do an nslookup?

boondocker Fri, 03/02/2007 - 11:50

Yes, I've run nslookup. When my dns is set for the outside I can resolve any url. when my dns is set for the inside nslookup can't find url (which makes sense).

acomiskey Fri, 03/02/2007 - 11:52

Why would that make sense, you are pointing to an inside dns server?

Actions

This Discussion