PIX DMZ contains both outside DNS and e-mail server, doesn't work.

Unanswered Question
Nov 8th, 2007

I have a pair of failover Pix 515e running software (8.02) and I have 6 interfaces. Outside, inside, inside2, DMZ1, DMZ2, failover.

DMZ2 contains our external DNS server that services DNS requests for our domain and several client's domains that we host. We recently moved a client's dedicated server to DMZ2 and now DNS doesn't work between that server and our DNS server because they are always looking to route to the external IP but they are on the same switch and interface of the Pix.

What I need to know is how can I either route the traffic so it doesn't try to go out and back in or some solution for servicing DNS requests to outside and locally differently. Any help is greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 11/08/2007 - 09:03

I've read your post a few times and am still a little confused. Could you rephrase what the actual problem is?

mismtk2007 Thu, 11/08/2007 - 09:09

Sure. I have an external DNS server on DMZ2 that services outside DNS requests. So a DNS request comes in for ourcompany.com and we reply with x.y.z.123 (an externally routable IP). That's all working as it should.

We recently moved a web/email server to DMZ2 so it's now in the same switch as the DNS server mentioned above and when it tries to query ourcompany.com to send email to us it fails because it is trying to connect to the outside IP of the server instead of the 10.0.x.x IP. How can I make this work?

acomiskey Thu, 11/08/2007 - 09:19

If so, you should be able to accomplish this with hairpinning. This will allow the traffic to bounce off the DMZ2 interface and be destination nat'd.

If your mail server ip's are as follows...

public ip = x.y.z.123

private ip = 10.0.x.x


same-secrity-traffic permit intra-interface

static (DMZ2,DMZ2) x.y.z.123 10.0.x.x netmask

global (DMZ2) 10 interface

nat (DMZ2) 10 0 0

Let me know if that helps.

mismtk2007 Thu, 11/08/2007 - 12:54

I added the statics for both systems on DMZ2:

static (DMZ2,DMZ2)x.y.z.123 10.0.x.123 netmask

static (DMZ2,DMZ2)x.y.z.8 10.0.x.8 netmask

And now I'm seeing deny errors, something about an ACL:

2 106001 10.0.x.8 x.y.z.123 Inbound TCP connection denied from 10.0.x.8/33773 to x.y.z.123/25 flags SYN on interface DMZ2

mismtk2007 Thu, 11/08/2007 - 13:50

Here's what I think is relevent:

global (outside) 200 interface

global (inside) 200 interface

global (DMZ1) 200 interface

global (inside2) 200 interface

global (DMZ2) 200 interface

nat (inside) 200 192.168.x.0

nat (DMZ1) 200 10.0.x.0

nat (inside2) 0 access-list inside2_outbound_nat0_acl

nat (inside2) 200 10.0.x.0

access-list DMZ2_access_in extended permit tcp host 10.0.x.8 host any eq smtp

access-list DMZ2_access_in extended permit tcp host 10.0.x.123 host any eq smtp

access-list outside_access_in extended permit tcp any host x.y.z.8 eq smtp

access-list outside_access_in extended permit tcp any host x.y.z.123 eq smtp

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group DMZ1_access_in in interface DMZ1

access-group inside2_access_in in interface inside2

access-group DMZ2_access_in in interface DMZ2

static (DMZ2,outside) x.y.z.8 10.0.x.8 netmask

static (DMZ2,outside) x.y.z.123 10.0.x.123 netmask

static (DMZ2,DMZ2) x.y.z.8 10.0.x.8 netmask

static (DMZ2,DMZ2) x.y.z.123 10.0.x.123 netmask

acomiskey Thu, 11/08/2007 - 13:56

Did you add...

same-security-traffic permit intra-interface

Also, did you try it with..

nat (DMZ2) 200 0 0

mismtk2007 Thu, 11/08/2007 - 14:05

I did not add same-security-traffic permit intra-interface because I'm not sure what that will do to the rest of my traffic. Is there a way to only apply that access to DMZ2 and not all interfaces?

I did not do nat (DMZ2) 200 0 0 what will that do?

acomiskey Thu, 11/08/2007 - 14:39

same-security-traffic permit intra-interface should not affect other traffic. It only allows traffic to enter and exit the same interface, which is what this situation needs. The packet will arrive at the DMZ2 interface with a desination address of x.y.z.123. The destination nat statement will change that destination address to 10.0.x.123.

IMPORTANT QUESTION: I asked this before and you didn't answer. Is 10.0.x.123 also on DMZ2? If not, forget everything I put above.

From the look of your config if looks like 10.0.x.123 is on DMZ1?

If that is the case then you really only need...

static (DMZ2,DMZ1) x.y.z.8 10.0.x.8 netmask

static (DMZ2,DMZ1) x.y.z.123 10.0.x.123 netmask

mismtk2007 Fri, 11/09/2007 - 05:15

Sorry, to answer your question yes both of these systems are on DMZ2. I will give this a try and let you know how it goes, thanks for your help so far!

mismtk2007 Fri, 11/09/2007 - 06:10

OK, this is mostly working now, the only problem I have is with DNS queries. The error I get is:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I know it has something to do with DNS inspection but I'm not sure what. Here's my inspection config:

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


message-length maximum 513

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect ftp

mismtk2007 Fri, 11/09/2007 - 06:33

I entered:

same-security-traffic permit intra-interface

and then I tweaked the ACLs and NAT rules accordingly and it is working for everything except DNS. But the DNS is not being dropped due to an ACL but rather this inspection error.


This Discussion