03-01-2007 01:28 PM - edited 03-11-2019 02:40 AM
I have a pix firewall (515e) and a windows computer on the DMZ that has it's default DNS pointing to a server on the inside allowing connection to key computers on the inside. I need to connect to the internet from this DMZ computer as well on the outside but unfortunately I can't resolve any URL's. Any ideas? thanks!
03-01-2007 01:35 PM
Either use external dns for dmz machines or write an acl allowing dns traffic from dmz to inside dns servers.
03-01-2007 02:15 PM
If I use an external dns (set the computers default dns to point to the outside dns server), I will loose dns resolution to the inside computers. I need to resolve dns both ways.
03-01-2007 02:30 PM
Hi
How many of the key systems does the server in the DMZ need to talk to. Hopefully not too many :-)
If it is a few key systems you could use the local hosts file for these servers and then point your windows server to DNS servers on the Internet for resolution of all other servers.
It's not a pretty solution and it depends on how many servers you need to talk to on the inside.
HTH
Jon
03-02-2007 10:34 AM
Thanks for the replies...unfortunately using hosts files still doesn't work...seems to get confused and net result is that the focus appears to be on the gateway setting.
03-02-2007 10:42 AM
Host files get checked before resolving to dns server. What do you mean by "seems to get confused and net result is that the focus appears to be on the gateway setting."
03-02-2007 11:10 AM
When I point my dmz computers default gateway to the outside DNS, internet access works fine. With hosts file setup with all my inside hosts I'm having problems connecting to my DC (which is on the inside). When I change my dmz computers default gateway to the inside DNS and disable the hosts file, i cannot connect to the outside internet but I have full access to the DC. It's sounds pretty straight forward and I figured it would work ...not sure if I'm doing something wrong here.
03-02-2007 11:15 AM
By "default gateway" I assume you mean "default dns"?
03-02-2007 11:19 AM
yes...typo
03-02-2007 11:22 AM
what does your access-list look like that is applied "in interface dmz"?
03-02-2007 11:32 AM
My Inside security level = 100
My DMZ security level = 100
My Outside security level = 0
access-list DMZ_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any any eq sqlnet
access-list OUTSIDE_access_in extended permit tcp any any eq 522
access-list OUTSIDE_access_in extended permit tcp any any eq 1731
access-list OUTSIDE_access_in extended permit tcp any any eq 1503
access-list OUTSIDE_access_in extended permit tcp any any eq ldap
access-list OUTSIDE_access_in extended permit tcp any any eq h323
access-list OUTSIDE_access_in extended permit tcp any any eq 3389
03-02-2007 11:34 AM
If you want to allow dmz machines to access inside machines, it has to be permitted in your DMZ_access-in acl. For instance, dns.
access-list DMZ_access_in extended permit udp any host
03-02-2007 11:37 AM
Does my access level of 100 for both dmz and inside not allow free flow of traffic without acl?
03-02-2007 11:40 AM
oh, i skimmed over that. It depends on what code your pix is, 7 will allow it, 6 will not.
03-02-2007 11:40 AM
...also, when I'm setup this way I can still connect to all inside computers including my DNS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: