Unanswered Question
Jan 6th, 2008
User Badges:

Currently I have a DNS server running behind a PIX 501. I can ping the servers external IP and everything. My question is do I have to NAT the local IP of the DNS server to the static external IP for DNS to work? I am trying to set this up for external webhosting use.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Fernando_Meza Sun, 01/06/2008 - 20:03
User Badges:
  • Gold, 750 points or more

Hi .. if you are providing DNS resolution on your DNS server for requests coming from the Internet .. yes you need to create a static NAT or port forwarding (if you only have one public IP address used by the firewall). Ans also you need to allow that access to the access list applied to the outiside interface. i.e

Port forwarding using the external IP of the firewall:

static (inside,outside) udp interface PrivateDNS_IP 53 netmask

access-list Outside_In permit udp any interface outside eq 53

access-group Outside_In in interface outside


Static NAT:

static (inside,outside) PublicDNS_IP PrivateDNS_IP netmask

access-list Outside_In permit udp any PublicDNS_IP eq 53

access-group Outside_In in interface outside

NOTE: if the real IP address of the DNS server is also a Public IP address then IP address you type in the static command will be the same .. i.e

static (inside,outside) PublicDNS_IP PublicDNS_IP netmask

I hope it helps .. please rate it if it does !!!

homeboarder8 Sun, 01/06/2008 - 20:14
User Badges:

Quick question. If I have the inside interface of the PIX set for a local IP, could I still use the static NAT with the DNS server using an external IP?

For instance like you said:

static (inside,outside) 74.xx.xx.35 74.xx.xx.35 netmask

even if the following is set:

ip address outside 74.xx.xx.36

ip address inside 10.xx.xx.81

Thanks for the help!

adam.sellhorn Mon, 01/07/2008 - 12:26
User Badges:

fernando_meza stated that you would have your static command as follows:

static (inside,outside) 74.xx.xx.35 10.xx.xx.xx netmask

the 10.xx.xx.xx is the inside (local) address of your DNS server.

homeboarder8 Mon, 01/07/2008 - 15:49
User Badges:

Okay let me word this differently... Is there any way to use external IP addresses on the servers behind the PIX? (No local IP's involved)

Thanks for the help.

Fernando_Meza Mon, 01/07/2008 - 21:15
User Badges:
  • Gold, 750 points or more

Hi .. First of all you need to make sure that the IP addresses (firewall and DNS server) don't overlap .. meaning they belong to two separate segments. The static NAT part (as you mentioned) from the configuration point of view it will be OK HOWEVER, the firewall needs to know the next hop to 74.X.X.35 as it only knows the directed connected networks by default. In which case you will need another device behind the firewall -such a router- for this purpose. What you are trying to achieve requires a firewall with at least 3 interfaces and/or that supports VLANs. Unfortunately the 501 limits the creation of two segments only (inside and outside). Alternatively you can have two 501 and create a DMZ segments between the two.

Internet ->PublicFirewall<-DMZ segment-> PrivateFirewall-> Inside Network


This Discussion