Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

resolving URL's from DMZ

I have a pix firewall (515e) and a windows computer on the DMZ that has it's default DNS pointing to a server on the inside allowing connection to key computers on the inside. I need to connect to the internet from this DMZ computer as well on the outside but unfortunately I can't resolve any URL's. Any ideas? thanks!

19 REPLIES
Green

Re: resolving URL's from DMZ

Either use external dns for dmz machines or write an acl allowing dns traffic from dmz to inside dns servers.

New Member

Re: resolving URL's from DMZ

If I use an external dns (set the computers default dns to point to the outside dns server), I will loose dns resolution to the inside computers. I need to resolve dns both ways.

Hall of Fame Super Blue

Re: resolving URL's from DMZ

Hi

How many of the key systems does the server in the DMZ need to talk to. Hopefully not too many :-)

If it is a few key systems you could use the local hosts file for these servers and then point your windows server to DNS servers on the Internet for resolution of all other servers.

It's not a pretty solution and it depends on how many servers you need to talk to on the inside.

HTH

Jon

New Member

Re: resolving URL's from DMZ

Thanks for the replies...unfortunately using hosts files still doesn't work...seems to get confused and net result is that the focus appears to be on the gateway setting.

Green

Re: resolving URL's from DMZ

Host files get checked before resolving to dns server. What do you mean by "seems to get confused and net result is that the focus appears to be on the gateway setting."

New Member

Re: resolving URL's from DMZ

When I point my dmz computers default gateway to the outside DNS, internet access works fine. With hosts file setup with all my inside hosts I'm having problems connecting to my DC (which is on the inside). When I change my dmz computers default gateway to the inside DNS and disable the hosts file, i cannot connect to the outside internet but I have full access to the DC. It's sounds pretty straight forward and I figured it would work ...not sure if I'm doing something wrong here.

Green

Re: resolving URL's from DMZ

By "default gateway" I assume you mean "default dns"?

New Member

Re: resolving URL's from DMZ

yes...typo

Green

Re: resolving URL's from DMZ

what does your access-list look like that is applied "in interface dmz"?

New Member

Re: resolving URL's from DMZ

My Inside security level = 100

My DMZ security level = 100

My Outside security level = 0

access-list DMZ_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp any any

access-list OUTSIDE_access_in extended permit tcp any any eq sqlnet

access-list OUTSIDE_access_in extended permit tcp any any eq 522

access-list OUTSIDE_access_in extended permit tcp any any eq 1731

access-list OUTSIDE_access_in extended permit tcp any any eq 1503

access-list OUTSIDE_access_in extended permit tcp any any eq ldap

access-list OUTSIDE_access_in extended permit tcp any any eq h323

access-list OUTSIDE_access_in extended permit tcp any any eq 3389

Green

Re: resolving URL's from DMZ

If you want to allow dmz machines to access inside machines, it has to be permitted in your DMZ_access-in acl. For instance, dns.

access-list DMZ_access_in extended permit udp any host eq 53

New Member

Re: resolving URL's from DMZ

Does my access level of 100 for both dmz and inside not allow free flow of traffic without acl?

Green

Re: resolving URL's from DMZ

oh, i skimmed over that. It depends on what code your pix is, 7 will allow it, 6 will not.

New Member

Re: resolving URL's from DMZ

...also, when I'm setup this way I can still connect to all inside computers including my DNS.

New Member

Re: resolving URL's from DMZ

...I'm at 7

Green

Re: resolving URL's from DMZ

So, everything works fine but you can't get to the internet? Are these windows machines? Do you know how to do an nslookup?

New Member

Re: resolving URL's from DMZ

Yes, I've run nslookup. When my dns is set for the outside I can resolve any url. when my dns is set for the inside nslookup can't find url (which makes sense).

Green

Re: resolving URL's from DMZ

Why would that make sense, you are pointing to an inside dns server?

New Member

Re: resolving URL's from DMZ

A couple of things.

While not nessicarily secure (as the above list is not) you can add this and it should fix your problem...

access-list dmz_access_in extended permit tcp any any eq domain

access-list dmz_access_in extended permit udp any any eq domain

199
Views
0
Helpful
19
Replies