As the title says, we cannot access out DNS server which is 192.168.7.199 from any other hosts behind the PIX in the 192.168.7.0/24 range.
i have been through the document which talks about DNS rewrite and hairpinning, but neither seem to work. I think i am missing out on some setting(s) somewhere.
I have also been through some of the previous posts especially this one "Firewalling: Access external Static destined to DMZ from Inside Interface"
If you have any ideas, we would very much appreicate it.
We have setup as follows
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any object-group HTTP eq www
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 192.168.7.0 255.255.255.0
static (inside,inside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255
static (inside,outside) 194.xxx.yyy.199 192.168.7.199 netmask 255.255.255.255
We are trying to access the DNS server from inside the LAN without using local IP addressing. So for example
192.168.7.15 makes a DNS query for a website which is actually sitting on 192.168.7.199. When it traverses thru the PIX into the DNS of the world, the reply is that this website is actually on 194.xxx.yyy.199 which is NATTED to 192.168.7.199
Hence the original request if from within the LAN, but it actually ends up coming from outside. Hope this makes sense, there is a diagram in the doc "http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#inspect"
Unfortunately even after this, i'm stuck :,)
Hi, thanks for your reply
I already have the following running
inspect dns preset_dns_map
It wouldnt allow me to enter the config you sent as this is already present. Do i need to modify it ?
From where are you trying to access this DNS server? according to your post you cannot access it from behind the PIX LAN, and as I understand correctly your DNS falls within this same lan segment correct? In that case the dns doctoring will never be applied. Can you confirm?
Yes, i can confirm that we are trying to access the DNS server from behind the PIX LAN which means the DNS server and other hosts fall in the same LAN segemnt. The document which i mentioned earlier, from i could see is designed for this scenario, hence i tried DNS Doctoring, but didnt get very far with it.
Hope this helps. Let me know if you need more info
The keypoint of dns doctoring is that the dns request has to go through the Firewall so that it can modify the dns reply. In your case your goal I presume is to make your clients that when they look for a site that resolves to a public ip address the pix changes the ip address to the private ip instead of using the public.
Yes i think, perhaps that is what we are looking for, any ideas on how i need to implement this ?
if your clients have a dns that belongs to the inside.... unless you change the MX record of your DNS to reflect the real ip address, of course if this dns is used to resolve names for outside people to then you will be in problems...
Putting the dns on a dmz or on the outside then you will make the dns query to go through the asa causing it to be modified. Now have in mind that the entry that has the dns option enabled on it is the translation of your server in other words the static entry that tells the outside world that your private address of your webserver (as an example) will be translated to X public address, and not the dns itself.
Ok thanks. I will review the setup tomorrow and get back to you. The Cisco doc looked pretty much the business for the situation that i found myself in. Anyhow, i will get this checked out tomorrow and let you know.
Thank you very much, i really appreciate your feedback.
This is the link
Let me know your thoughts from it. Does it sound like i am missing a small component or is it different to what i am after. I couldnt find much difference from our setup to the one in the doc. I also referred to the NetPro Forum titled "Firewalling: Access external Static destined to DMZ from Inside Interface"
Oh ok, I see where you got it wrong, on the hairpinning option you do not make the static inside inside of the DNS server you do it of the WEBSERVER that needs to be reached, in this case the dns record is never changed instead when the dns server replies to you with the public address the ASA will redirect you to the real ip address of your WEBSERVER.
OK, here i will need your help furhter.
We have a machine which is a DNS SERVER as well as a WEBSERVER.
The machine has the IPs 192.168.7.41, 192.168.7.51 & 192.168.7.52. Default GW is 192.168.7.1 (inside if of PIX)
DNS Servers for this machine are itself ie 192.168.7.41 & another DNS box 192.168.7.165
There is a website sitting in IIS whose www-A record points to 194.xxx.yyy.41
The Static NATTING configured means that 194.xxx.yyy.41 translates to the inside as 192.168.7.41.
The website can be reached from the outside the LAN, but not from inside. I have made the change you just suggested, but still cannot see the website from 192.168.7.153
Sorry for the trouble. I hope the above isnt confusing info. Thanks a lot
Sorry its been a feew days. Just to say many thanks for your help in this problem i had, managed to solve it by editing host files to allow communications.
Brilliant thanks again