Cannot Access websites behind PIX of DNS Server behind PIX

Unanswered Question
Feb 17th, 2009


As the title says, we cannot access out DNS server which is from any other hosts behind the PIX in the range.

i have been through the document which talks about DNS rewrite and hairpinning, but neither seem to work. I think i am missing out on some setting(s) somewhere.

I have also been through some of the previous posts especially this one "Firewalling: Access external Static destined to DMZ from Inside Interface"

If you have any ideas, we would very much appreicate it.

We have setup as follows

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any object-group HTTP eq www

global (outside) 1 interface

global (inside) 1 interface

nat (inside) 1

static (inside,inside) netmask

static (inside,outside) netmask



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Ivan Martinon Tue, 02/17/2009 - 10:17

Ali, question, are you trying to access your dns from outside to inside? or is it from within the LAN?

smbtest12 Tue, 02/17/2009 - 15:07


We are trying to access the DNS server from inside the LAN without using local IP addressing. So for example makes a DNS query for a website which is actually sitting on When it traverses thru the PIX into the DNS of the world, the reply is that this website is actually on which is NATTED to

Hence the original request if from within the LAN, but it actually ends up coming from outside. Hope this makes sense, there is a diagram in the doc ""

Unfortunately even after this, i'm stuck :,)


husycisco Tue, 02/17/2009 - 10:18

Hello Ali,

Try this

policy-map global_policy

class inspection_default

inspect dns


smbtest12 Tue, 02/17/2009 - 15:01

Hi, thanks for your reply

I already have the following running

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

It wouldnt allow me to enter the config you sent as this is already present. Do i need to modify it ?



Ivan Martinon Tue, 02/17/2009 - 15:10

From where are you trying to access this DNS server? according to your post you cannot access it from behind the PIX LAN, and as I understand correctly your DNS falls within this same lan segment correct? In that case the dns doctoring will never be applied. Can you confirm?

smbtest12 Tue, 02/17/2009 - 15:21

Yes, i can confirm that we are trying to access the DNS server from behind the PIX LAN which means the DNS server and other hosts fall in the same LAN segemnt. The document which i mentioned earlier, from i could see is designed for this scenario, hence i tried DNS Doctoring, but didnt get very far with it.

Hope this helps. Let me know if you need more info


Ivan Martinon Tue, 02/17/2009 - 15:27

The keypoint of dns doctoring is that the dns request has to go through the Firewall so that it can modify the dns reply. In your case your goal I presume is to make your clients that when they look for a site that resolves to a public ip address the pix changes the ip address to the private ip instead of using the public.

smbtest12 Tue, 02/17/2009 - 15:39

Yes i think, perhaps that is what we are looking for, any ideas on how i need to implement this ?



Ivan Martinon Tue, 02/17/2009 - 15:43

if your clients have a dns that belongs to the inside.... unless you change the MX record of your DNS to reflect the real ip address, of course if this dns is used to resolve names for outside people to then you will be in problems...

Putting the dns on a dmz or on the outside then you will make the dns query to go through the asa causing it to be modified. Now have in mind that the entry that has the dns option enabled on it is the translation of your server in other words the static entry that tells the outside world that your private address of your webserver (as an example) will be translated to X public address, and not the dns itself.

smbtest12 Tue, 02/17/2009 - 16:38

Ok thanks. I will review the setup tomorrow and get back to you. The Cisco doc looked pretty much the business for the situation that i found myself in. Anyhow, i will get this checked out tomorrow and let you know.

Thank you very much, i really appreciate your feedback.


smbtest12 Tue, 02/17/2009 - 18:13

This is the link

Let me know your thoughts from it. Does it sound like i am missing a small component or is it different to what i am after. I couldnt find much difference from our setup to the one in the doc. I also referred to the NetPro Forum titled "Firewalling: Access external Static destined to DMZ from Inside Interface"


Ivan Martinon Tue, 02/17/2009 - 18:36

Oh ok, I see where you got it wrong, on the hairpinning option you do not make the static inside inside of the DNS server you do it of the WEBSERVER that needs to be reached, in this case the dns record is never changed instead when the dns server replies to you with the public address the ASA will redirect you to the real ip address of your WEBSERVER.

smbtest12 Tue, 02/17/2009 - 19:03

OK, here i will need your help furhter.

We have a machine which is a DNS SERVER as well as a WEBSERVER.

The machine has the IPs, & Default GW is (inside if of PIX)

DNS Servers for this machine are itself ie & another DNS box

There is a website sitting in IIS whose www-A record points to

The Static NATTING configured means that translates to the inside as

The website can be reached from the outside the LAN, but not from inside. I have made the change you just suggested, but still cannot see the website from

Sorry for the trouble. I hope the above isnt confusing info. Thanks a lot


smbtest12 Mon, 03/09/2009 - 04:21

Hi Imartino

Sorry its been a feew days. Just to say many thanks for your help in this problem i had, managed to solve it by editing host files to allow communications.

Brilliant thanks again




This Discussion