PIX DNS NAT ?

Unanswered Question
Jan 6th, 2008

Currently I have a DNS server running behind a PIX 501. I can ping the servers external IP and everything. My question is do I have to NAT the local IP of the DNS server to the static external IP for DNS to work? I am trying to set this up for external webhosting use.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
Fernando_Meza Sun, 01/06/2008 - 20:03

Hi .. if you are providing DNS resolution on your DNS server for requests coming from the Internet .. yes you need to create a static NAT or port forwarding (if you only have one public IP address used by the firewall). Ans also you need to allow that access to the access list applied to the outiside interface. i.e

Port forwarding using the external IP of the firewall:

static (inside,outside) udp interface PrivateDNS_IP 53 netmask 255.255.255.255

access-list Outside_In permit udp any interface outside eq 53

access-group Outside_In in interface outside

OR

Static NAT:

static (inside,outside) PublicDNS_IP PrivateDNS_IP netmask 255.255.255.255

access-list Outside_In permit udp any PublicDNS_IP eq 53

access-group Outside_In in interface outside

NOTE: if the real IP address of the DNS server is also a Public IP address then IP address you type in the static command will be the same .. i.e

static (inside,outside) PublicDNS_IP PublicDNS_IP netmask 255.255.255.255

I hope it helps .. please rate it if it does !!!

homeboarder8 Sun, 01/06/2008 - 20:14

Quick question. If I have the inside interface of the PIX set for a local IP, could I still use the static NAT with the DNS server using an external IP?

For instance like you said:

static (inside,outside) 74.xx.xx.35 74.xx.xx.35 netmask 255.255.255.255

even if the following is set:

ip address outside 74.xx.xx.36 255.255.255.248

ip address inside 10.xx.xx.81 255.0.0.0

Thanks for the help!

adam.sellhorn Mon, 01/07/2008 - 12:26

fernando_meza stated that you would have your static command as follows:

static (inside,outside) 74.xx.xx.35 10.xx.xx.xx netmask 255.255.255.255

the 10.xx.xx.xx is the inside (local) address of your DNS server.

homeboarder8 Mon, 01/07/2008 - 15:49

Okay let me word this differently... Is there any way to use external IP addresses on the servers behind the PIX? (No local IP's involved)

Thanks for the help.

Fernando_Meza Mon, 01/07/2008 - 21:15

Hi .. First of all you need to make sure that the IP addresses (firewall and DNS server) don't overlap .. meaning they belong to two separate segments. The static NAT part (as you mentioned) from the configuration point of view it will be OK HOWEVER, the firewall needs to know the next hop to 74.X.X.35 as it only knows the directed connected networks by default. In which case you will need another device behind the firewall -such a router- for this purpose. What you are trying to achieve requires a firewall with at least 3 interfaces and/or that supports VLANs. Unfortunately the 501 limits the creation of two segments only (inside and outside). Alternatively you can have two 501 and create a DMZ segments between the two.

Internet ->PublicFirewall<-DMZ segment-> PrivateFirewall-> Inside Network

Actions

This Discussion