Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
8
Replies

How to config PIX 506E to pass DNS traffic

bobh
Level 1
Level 1

‎03-12-2007 01:20 PM - edited ‎03-11-2019 02:45 AM

I have a PiX 506E that is used by a public municiple agency to seperate one internal LAN from Another for security reasons. On the outside interface of the PIX is a less secure network (192.168.10.x) with a Windows 2003 Domain controller running DNS. We have installed another secondary domain conroller for the same domain on the inside interface (172.23.16.x). Since both domain controllers are for the same domain we need to configure the firewall to allow the domains to talk to each other. The DNS server on the outside interface is 192.168.10.2 and the second DNS server on the inside interface is 172.23.16.7. Curretnly SMTP and WWW traffic is passing through with no problem. I have attatched a sanitized running config to look at. I'm not sure where I am missing it but I have been unable to open the ports to get the two to talk together. Any help would be appreciated. Thanks

Labels:
Preview file
4 KB
0 Helpful
8 Replies 8

vitripat
Level 7
Level 7

‎03-12-2007 01:31 PM

Hi ..

Please execute following commands-

no static (inside,outside) 192.168.10.2 172.23.16.7 netmask 255.255.255.255 0 0

clear xlate local 172.23.16.7

clear xlate global 192.168.10.2

Hope that helps. Also let me know if we are talking about DNS replication over here? Or normal DNS queries not going through?

Regards,

Vibhor.

0 Helpful

bobh
Level 1
Level 1
In response to vitripat

‎03-12-2007 01:40 PM

I'm trying to get DNS replication to take place between the outside DNS Server (192.168.10.2) and the inside server (172.23.16.7). I tried the commands you gave me and it didn't seem to work.

0 Helpful

acomiskey
Level 10
Level 10
In response to bobh

‎03-12-2007 01:45 PM

I think DNS replication should take place with Active Directory replication.

0 Helpful

bobh
Level 1
Level 1
In response to acomiskey

‎03-12-2007 01:51 PM

It's the DNS replication that I cannot get working. When I go to active directory sites and services and try to replicate to the other server it tells me now that the rpc server is unavailable.

0 Helpful

acomiskey
Level 10
Level 10
In response to bobh

‎03-12-2007 01:53 PM

Most likely is attempting rpc 135 connection on some random port.

0 Helpful

bobh
Level 1
Level 1
In response to acomiskey

‎03-12-2007 01:59 PM

I ran accross this Microsoft article on setting some regestry settings on both domain controllers to limit the number of port rpc is using. Is this the only way to allow rpc traffic or is their a better suggestion on how to do what I am trying to accomplish.

http://support.microsoft.com/kb/154596

0 Helpful

acomiskey
Level 10
Level 10
In response to bobh

‎03-12-2007 02:37 PM

Before you get into stuff like that, which when dealing with the registry would never be my first choice, get some logging going on the pix, try your replication and see exactly what is going on. No sense ruining your perfectly good domain controllers when you don't need to. Post up the logs.

0 Helpful

vitripat
Level 7
Level 7
In response to bobh

‎03-12-2007 01:45 PM

If we are only talking about DNS zone transfers, it works on TCP(53), which is open on your PIX. However, if you are looking for WINS replication, for this we need to open port 42 (TCP n UDP). Are we only doing Zone transfers or WINS replications also?

Is it possible to collect syslogs at the time you try to replicate?

Regards,

Vibhor.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card