External DNS not directing back in internally

cbonthron · ‎11-28-2005

I'm stumped on this one. Our ISP handles our DNS services and last week I added a host name with them that points to a

static public IP on our network, I'll call it: 209.209.209.209

This hostname/address is for a private webserver I'm running internally and I need to be able to access it using the host name externally and internally but so far it only seems that the host name works on the outside. I can't seem to figure out what I'm doing wrong or forgetting to do to allow internal users to also access it with the hostname. I configured my PIX over a year ago and I've forgotten a lot of what's required.

I've added the following two lines to my PIX 515e with no success.

access-list 100 permit tcp any host 209.209.209.209 eq www

static (inside,outside) 209.209.209.209 192.168.10.4 netmask 255.255.255.255 0 0

Do I need to route DNS somehow specifically for this IP or is it something that is done automatically?

Thank for any direction that can be provided.

Chris

ciscopixguy · ‎11-28-2005

Hi Chris,

This is always an issue when you use an external DNS server to resolve internal hosts.

There are two solutions.

PIX OS 6.2 and higher:

static (inside,outside) 209.209.209.209 192.168.10.4 netmask 255.255.255.255 dns

PIX OS 6.1 and before:

alias (inside) 192.168.10.4 209.209.209.209 netmask 255.255.255.255

Both solutions translate the DNS A record for the internal host.

Regards,

Dave

cbonthron · ‎11-29-2005

Thanks for your response Dave. The PIX OS is 6.3.

I actually tried the first solution already with no success. As I stated in my initial post in this thread I have tried:

static (inside,outside) 209.209.209.209 192.168.10.4 dns netmask 255.255.255.255 0 0

I accidently omitted the 'dns' from my post since I was typing from memory but it was in the config. Isn't that the same as your first solution.

cbonthron · ‎11-30-2005

So I'm at a loss why this is not working...

I've confirmed that my host name "webtimesheets.mydomain.com" refers to:

209.209.209.209

I've confirmed that I can reach the webserver that the host name refers to externally from the internet using either the host name "webtimesheets.mydomain.com" or the IP:

209.209.209.209

I've confirmed that this line is in my config:

static (inside,outside) 209.209.209.209 192.168.10.4 dns netmask 255.255.255.255 0 0

I've confirmed that I can reach my server internally using the IP:

192.168.10.4

But I can not reach the server internally using the hostname "webtimesheets.mydomain.com"!

Please if some one has any ideas I would appreciate them. Thanks.

Chris

cbonthron · ‎12-01-2005

I think I figured out what the problems was...

I had the following line in my config in a spot where I wasn't looking:

http 209.209.209.209 255.255.255.255 inside

I'm guessing this is to use PDM(?) over http which I believe we used last year to configure the PIX initially. This IP had previously been used by a Dell laptop I had been using to configure the PIX and it used that IP.

Maybe that wasn't the problem but it is working now.

ciscopixguy · ‎12-04-2005

Hi,

Alternatively, you could try:

alias (inside) 192.168.10.4 209.209.209.209 netmask 255.255.255.255

Alias was used prior to 6.2. It should also re-write the DNS A-Record.

Regards,

Dave