cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
12
Helpful
15
Replies

Cannot Access websites behind PIX of DNS Server behind PIX

smbtest12
Level 1
Level 1

Hi

As the title says, we cannot access out DNS server which is 192.168.7.199 from any other hosts behind the PIX in the 192.168.7.0/24 range.

i have been through the document which talks about DNS rewrite and hairpinning, but neither seem to work. I think i am missing out on some setting(s) somewhere.

I have also been through some of the previous posts especially this one "Firewalling: Access external Static destined to DMZ from Inside Interface"

If you have any ideas, we would very much appreicate it.

We have setup as follows

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any object-group HTTP eq www

global (outside) 1 interface

global (inside) 1 interface

nat (inside) 1 192.168.7.0 255.255.255.0

static (inside,inside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255

static (inside,outside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255

thanks

Ali

15 Replies 15

Ivan Martinon
Level 7
Level 7

Ali, question, are you trying to access your dns from outside to inside? or is it from within the LAN?

Hi

We are trying to access the DNS server from inside the LAN without using local IP addressing. So for example

192.168.7.15 makes a DNS query for a website which is actually sitting on 192.168.7.199. When it traverses thru the PIX into the DNS of the world, the reply is that this website is actually on 194.xxx.yyy.199 which is NATTED to 192.168.7.199

Hence the original request if from within the LAN, but it actually ends up coming from outside. Hope this makes sense, there is a diagram in the doc "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#inspect"

Unfortunately even after this, i'm stuck :,)

Thanks

husycisco
Level 7
Level 7

Hello Ali,

Try this

policy-map global_policy

class inspection_default

inspect dns

Regards

Hi, thanks for your reply

I already have the following running

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

It wouldnt allow me to enter the config you sent as this is already present. Do i need to modify it ?

Thanks

Ali

From where are you trying to access this DNS server? according to your post you cannot access it from behind the PIX LAN, and as I understand correctly your DNS falls within this same lan segment correct? In that case the dns doctoring will never be applied. Can you confirm?

Yes, i can confirm that we are trying to access the DNS server from behind the PIX LAN which means the DNS server and other hosts fall in the same LAN segemnt. The document which i mentioned earlier, from i could see is designed for this scenario, hence i tried DNS Doctoring, but didnt get very far with it.

Hope this helps. Let me know if you need more info

Regards

The keypoint of dns doctoring is that the dns request has to go through the Firewall so that it can modify the dns reply. In your case your goal I presume is to make your clients that when they look for a site that resolves to a public ip address the pix changes the ip address to the private ip instead of using the public.

Yes i think, perhaps that is what we are looking for, any ideas on how i need to implement this ?

thanks

Ali

if your clients have a dns that belongs to the inside.... unless you change the MX record of your DNS to reflect the real ip address, of course if this dns is used to resolve names for outside people to then you will be in problems...

Putting the dns on a dmz or on the outside then you will make the dns query to go through the asa causing it to be modified. Now have in mind that the entry that has the dns option enabled on it is the translation of your server in other words the static entry that tells the outside world that your private address of your webserver (as an example) will be translated to X public address, and not the dns itself.

Ok thanks. I will review the setup tomorrow and get back to you. The Cisco doc looked pretty much the business for the situation that i found myself in. Anyhow, i will get this checked out tomorrow and let you know.

Thank you very much, i really appreciate your feedback.

Regards,

If you don't mind can you share that doc here?

This is the link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#inspect

Let me know your thoughts from it. Does it sound like i am missing a small component or is it different to what i am after. I couldnt find much difference from our setup to the one in the doc. I also referred to the NetPro Forum titled "Firewalling: Access external Static destined to DMZ from Inside Interface"

Thanks

Oh ok, I see where you got it wrong, on the hairpinning option you do not make the static inside inside of the DNS server you do it of the WEBSERVER that needs to be reached, in this case the dns record is never changed instead when the dns server replies to you with the public address the ASA will redirect you to the real ip address of your WEBSERVER.

OK, here i will need your help furhter.

We have a machine which is a DNS SERVER as well as a WEBSERVER.

The machine has the IPs 192.168.7.41, 192.168.7.51 & 192.168.7.52. Default GW is 192.168.7.1 (inside if of PIX)

DNS Servers for this machine are itself ie 192.168.7.41 & another DNS box 192.168.7.165

There is a website sitting in IIS whose www-A record points to 194.xxx.yyy.41

The Static NATTING configured means that 194.xxx.yyy.41 translates to the inside as 192.168.7.41.

The website can be reached from the outside the LAN, but not from inside. I have made the change you just suggested, but still cannot see the website from 192.168.7.153

Sorry for the trouble. I hope the above isnt confusing info. Thanks a lot

Ali

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: