03-06-2007 10:45 PM - edited 03-11-2019 02:42 AM
Hi,
Is it possible to forward DNS requests addressed to a PIX inside interface out to ISP's DNS?
Thanks
Solved! Go to Solution.
03-07-2007 04:54 PM
Officially, PIX is not designed to do so. But we can make it work by using following commands-
Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:
static (outside,inside) udp interface 53 4.2.2.2 53
clear xlate
Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.
Hope this works for you.
Regards,
Vibhor.
03-07-2007 08:26 AM
Do you mean to say that internal hosts are using PIX inside interface as a DNS server IP? Or is it that PIX is acting as a DHCP server for the internal clients?
03-07-2007 04:48 PM
Hi
I meant that internal PCs use PIX inside interface as a DNS server. In this case, the PIX should forward DNS requests to ISP's
DNS. Question: Can PIX do it?
03-07-2007 04:54 PM
Officially, PIX is not designed to do so. But we can make it work by using following commands-
Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:
static (outside,inside) udp interface 53 4.2.2.2 53
clear xlate
Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.
Hope this works for you.
Regards,
Vibhor.
03-07-2007 07:34 PM
Hello Vibhor,
Thank you for your help. I have just tried that command in small lab environment:
PC (192.168.2.2/29) --> PIX_inside (192.168.2.1/29) - PIX_outside(192.168.1.2/24) --> 2610_e0/0 (192.168.1.1/24)
I don't have an outside DNS server in the lab; therefore, to test it:
- 2610:
ip http server
ip http port 53
debug ip tcp packet
- PIX:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
static (outside, inside) tpc interface 80 192.168.1.1 53
- PC
Debug output on 2610 indicates that http traffic reaches the router; howerver, PIX does not translate port from 80 to 53:
00:21:41: tcp0: I LISTEN 192.168.1.2:1034 192.168.1.1:80 seq 2926118896
OPTS 8 SYN WIN 64512
Any idea how to check what is going on the PIX?
Thanks
Vadim
03-07-2007 11:09 PM
Hello Vibhor,
Please ignore my last update. The command you have posted is working! (I just did not test it correctly)
Thank you so much!
Vadim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: