resolving URL's from DMZ

boondocker · ‎03-01-2007

I have a pix firewall (515e) and a windows computer on the DMZ that has it's default DNS pointing to a server on the inside allowing connection to key computers on the inside. I need to connect to the internet from this DMZ computer as well on the outside but unfortunately I can't resolve any URL's. Any ideas? thanks!

acomiskey · ‎03-01-2007

Either use external dns for dmz machines or write an acl allowing dns traffic from dmz to inside dns servers.

boondocker · ‎03-01-2007

If I use an external dns (set the computers default dns to point to the outside dns server), I will loose dns resolution to the inside computers. I need to resolve dns both ways.

Jon Marshall · ‎03-01-2007

Hi

How many of the key systems does the server in the DMZ need to talk to. Hopefully not too many :-)

If it is a few key systems you could use the local hosts file for these servers and then point your windows server to DNS servers on the Internet for resolution of all other servers.

It's not a pretty solution and it depends on how many servers you need to talk to on the inside.

HTH

Jon

boondocker · ‎03-02-2007

Thanks for the replies...unfortunately using hosts files still doesn't work...seems to get confused and net result is that the focus appears to be on the gateway setting.

acomiskey · ‎03-02-2007

Host files get checked before resolving to dns server. What do you mean by "seems to get confused and net result is that the focus appears to be on the gateway setting."

boondocker · ‎03-02-2007

When I point my dmz computers default gateway to the outside DNS, internet access works fine. With hosts file setup with all my inside hosts I'm having problems connecting to my DC (which is on the inside). When I change my dmz computers default gateway to the inside DNS and disable the hosts file, i cannot connect to the outside internet but I have full access to the DC. It's sounds pretty straight forward and I figured it would work ...not sure if I'm doing something wrong here.

acomiskey · ‎03-02-2007

By "default gateway" I assume you mean "default dns"?

boondocker · ‎03-02-2007

yes...typo

acomiskey · ‎03-02-2007

what does your access-list look like that is applied "in interface dmz"?

boondocker · ‎03-02-2007

My Inside security level = 100

My DMZ security level = 100

My Outside security level = 0

access-list DMZ_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp any any

access-list OUTSIDE_access_in extended permit tcp any any eq sqlnet

access-list OUTSIDE_access_in extended permit tcp any any eq 522

access-list OUTSIDE_access_in extended permit tcp any any eq 1731

access-list OUTSIDE_access_in extended permit tcp any any eq 1503

access-list OUTSIDE_access_in extended permit tcp any any eq ldap

access-list OUTSIDE_access_in extended permit tcp any any eq h323

access-list OUTSIDE_access_in extended permit tcp any any eq 3389

acomiskey · ‎03-02-2007

If you want to allow dmz machines to access inside machines, it has to be permitted in your DMZ_access-in acl. For instance, dns.

access-list DMZ_access_in extended permit udp any host eq 53

boondocker · ‎03-02-2007

Does my access level of 100 for both dmz and inside not allow free flow of traffic without acl?

acomiskey · ‎03-02-2007

oh, i skimmed over that. It depends on what code your pix is, 7 will allow it, 6 will not.

boondocker · ‎03-02-2007

...also, when I'm setup this way I can still connect to all inside computers including my DNS.