Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
5
Replies

PIX and DNS Forwarding

Go to solution
vsclear
Level 1
Level 1

‎03-06-2007 10:45 PM - edited ‎03-11-2019 02:42 AM

Hi,

Is it possible to forward DNS requests addressed to a PIX inside interface out to ISP's DNS?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vitripat
Level 7
Level 7
In response to vsclear

‎03-07-2007 04:54 PM

Officially, PIX is not designed to do so. But we can make it work by using following commands-

Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:

static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate

Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.

Hope this works for you.

Regards,

Vibhor.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
vitripat
Level 7
Level 7

‎03-07-2007 08:26 AM

Do you mean to say that internal hosts are using PIX inside interface as a DNS server IP? Or is it that PIX is acting as a DHCP server for the internal clients?

0 Helpful

Go to solution
vsclear
Level 1
Level 1
In response to vitripat

‎03-07-2007 04:48 PM

Hi

I meant that internal PCs use PIX inside interface as a DNS server. In this case, the PIX should forward DNS requests to ISP's

DNS. Question: Can PIX do it?

0 Helpful

Go to solution
vitripat
Level 7
Level 7
In response to vsclear

‎03-07-2007 04:54 PM

Officially, PIX is not designed to do so. But we can make it work by using following commands-

Suppose that ISPs DNS server IP is 4.2.2.2 and PIX inside interface IP is 1.1.1.1. In this case, try following commands:

static (outside,inside) udp interface 53 4.2.2.2 53

clear xlate

Now all the UDP port 53 requests, which are DNS requests, when directed to PIX's inside interface IP, PIX will redirect them to udp (53) on the ISP's DNS server.

Hope this works for you.

Regards,

Vibhor.

0 Helpful

Go to solution
vsclear
Level 1
Level 1
In response to vitripat

‎03-07-2007 07:34 PM

Hello Vibhor,

Thank you for your help. I have just tried that command in small lab environment:

PC (192.168.2.2/29) --> PIX_inside (192.168.2.1/29) - PIX_outside(192.168.1.2/24) --> 2610_e0/0 (192.168.1.1/24)

I don't have an outside DNS server in the lab; therefore, to test it:

- 2610:

ip http server

ip http port 53

debug ip tcp packet

- PIX:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

static (outside, inside) tpc interface 80 192.168.1.1 53

- PC

http://192.168.1.1

Debug output on 2610 indicates that http traffic reaches the router; howerver, PIX does not translate port from 80 to 53:

00:21:41: tcp0: I LISTEN 192.168.1.2:1034 192.168.1.1:80 seq 2926118896

OPTS 8 SYN WIN 64512

Any idea how to check what is going on the PIX?

Thanks

Vadim

0 Helpful

Go to solution
vsclear
Level 1
Level 1
In response to vsclear

‎03-07-2007 11:09 PM

Hello Vibhor,

Please ignore my last update. The command you have posted is working! (I just did not test it correctly)

Thank you so much!

Vadim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card