How to config PIX 506E to pass DNS traffic

Unanswered Question

I have a PiX 506E that is used by a public municiple agency to seperate one internal LAN from Another for security reasons. On the outside interface of the PIX is a less secure network (192.168.10.x) with a Windows 2003 Domain controller running DNS. We have installed another secondary domain conroller for the same domain on the inside interface (172.23.16.x). Since both domain controllers are for the same domain we need to configure the firewall to allow the domains to talk to each other. The DNS server on the outside interface is 192.168.10.2 and the second DNS server on the inside interface is 172.23.16.7. Curretnly SMTP and WWW traffic is passing through with no problem. I have attatched a sanitized running config to look at. I'm not sure where I am missing it but I have been unable to open the ports to get the two to talk together. Any help would be appreciated. Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Mon, 03/12/2007 - 13:31
User Badges:
  • Gold, 750 points or more

Hi ..


Please execute following commands-


no static (inside,outside) 192.168.10.2 172.23.16.7 netmask 255.255.255.255 0 0

clear xlate local 172.23.16.7

clear xlate global 192.168.10.2


Hope that helps. Also let me know if we are talking about DNS replication over here? Or normal DNS queries not going through?


Regards,

Vibhor.

acomiskey Mon, 03/12/2007 - 13:45
User Badges:
  • Green, 3000 points or more

I think DNS replication should take place with Active Directory replication.

acomiskey Mon, 03/12/2007 - 13:53
User Badges:
  • Green, 3000 points or more

Most likely is attempting rpc 135 connection on some random port.

acomiskey Mon, 03/12/2007 - 14:37
User Badges:
  • Green, 3000 points or more

Before you get into stuff like that, which when dealing with the registry would never be my first choice, get some logging going on the pix, try your replication and see exactly what is going on. No sense ruining your perfectly good domain controllers when you don't need to. Post up the logs.

vitripat Mon, 03/12/2007 - 13:45
User Badges:
  • Gold, 750 points or more

If we are only talking about DNS zone transfers, it works on TCP(53), which is open on your PIX. However, if you are looking for WINS replication, for this we need to open port 42 (TCP n UDP). Are we only doing Zone transfers or WINS replications also?


Is it possible to collect syslogs at the time you try to replicate?



Regards,

Vibhor.

Actions

This Discussion