Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Public DNS Server behind PIX 501

I have two public accessible DNS servers that I am trying to put behind a PIX 501 to provide name resolution for the domains that we host. I can assign the public IP address to the WAN interface of the PIX and setup a static NAT to the internal address that has been assigned to the DNS server. I can run a sniffer and see there are lookup requests being passed the DNS serve from the PIX, but I am not seeing any responses from the DNS server or any non authoritative lookup requests being made.

Thank you for your help,

Tim

5 REPLIES

Re: Public DNS Server behind PIX 501

Hi .. static NAt and DNS access to the external Ip address is all you need to allow lookups from the internet. If while sniffing the packets you are able to see DNS request from external addresses reaching your DNS server but not response back . then the issue is most likely the DNS server itself .. make sure the DNS services are up and running and also make sure the dafault gateway is properly configured.

I hope it helps .. please rate it if it does !!!

New Member

Re: Public DNS Server behind PIX 501

Both DNS servers work well when they are not behind the firewall. I will check with Microsoft to see if there is something that needs to be configured on the DNS when you are using NAT.

Thank you,

Tim

New Member

Re: Public DNS Server behind PIX 501

hi,

I think you need to use dns key word after the static command, to allow the dns proccess to work properly. for example

static(dmz,outside) external_ip internal_ip dns

hope it helpful.

Re: Public DNS Server behind PIX 501

Hi .. the dns parameter is used when you want re-write dns responses ( dns doctoring ). Please refer to the below link for explanation.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Re: Public DNS Server behind PIX 501

Hi .. I suggets to mirror the port of one of the DNS servers and look at the packets using ethereal .. basically you will need to check as to whether dns request are reaching the server and if the server is sending the responses back ..

If the server is in fact sending responses back .. then the packets must be dropped in transit .. and then you can start looking at whatever is between the firewall and the dns server.

if the server is not sending responses back then the issue is the server

If the server is not receiving dns request at all from the Internet then make sure that the access list applied to the outside interface allows dns for the Public address you are using on your static NAT commands.

Just out of curiosity can you post the output of

show run | inc dns from your pix ..

701
Views
0
Helpful
5
Replies
CreatePlease to create content