Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internal DNS to external DNS through PIX 525E

Hello,

I also posted this issue in general conversation by mistake :(

We have PIX 525E as our firewall, and it has 4 interfaces : Outside, DMZ1, DMZ2 and Inside.

Curently we are trying to develope an FQDN Primary DNS Server in inside interface, and our ISP DNS as our secondary DNS (backup) server on outside.

Here are my network:

Inside : a.a.a.a (DNS Server)

DMZ1 : b.b.b.b (Web Server)

DMZ2 : c.c.c.c (Mail Server)

Outside : d.d.d.d (ISP)

And here are our Cisco 525E conf (copied and edited from sh run command):

name a.a.a.3 DNSserver

name b.b.b.3 WebServer

name c.c.c.3 MailServer

ip address outside d.d.d.10 255.255.255.0

ip address inside a.a.a.1 255.255.255.0

ip address DMZ1 b.b.b.1 255.255.255.0

ip address DMZ2 c.c.c.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (DMZ1) 0 access-list DMZ1_inbound_nat0_acl outside

static (inside,DMZ1) b.b.b.10 DNSserver dns netmask 255.255.255.255 0 0

static (inside,DMZ2) c.c.c.10 DNSserver dns netmask 255.255.255.255 0 0

static (DMZ1,DMZ2) c.c.c.15 WebServer dns netmask 255.255.255.255 0 0

static (inside,outside) d.d.d.13 DNSserver dns netmask 255.255.255.255 0 0

static (DMZ1,outside) d.d.d.12 WebServer dns netmask 255.255.255.255 0 0

static (DMZ2,outside) d.d.d.11 MailServer dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group DMZ1_access_in in interface DMZ1

access-group DMZ2_access_in in interface DMZ2

access-list outside_access_in permit tcp any host d.d.d.13 eq domain

access-list outside_access_in permit udp any host d.d.d.13 eq domain

access-list outside_access_in permit tcp any host d.d.d.12 eq http

access-list inside_access_in permit tcp any any

access-list DMZ1_access_in permit tcp any any

access-list DMZ2_access_in permit tcp any any

Our plan is to make FQDN DNS server to serve our LAN and also the internet, and have our ISP DNS server as backup.

Our problem is to set the IP address in our DNS,

1. If we put public IP on www record, our other servers including the webserver it self can't browse the web page.

2. If we put local IP on www record, our other servers can access the web page but the secondary DNS (at ISP) will also retrieve the local address, therefor netters couldn't access our web page.

3. Our DNS server based on MS Windows server and the ISP is using BIND. Is it also part of the problem ?

What have I done wrong ? Is it possible to implement our plan in the first place ?

1 REPLY
Cisco Employee

Re: Internal DNS to external DNS through PIX 525E

This all depends on what interface your internal users and your DNS servers are on. First off put the global address of the web server in your DNS server, that way external users will work fine.

Going by your static's your DNS server is on the inside interface, and presumably so are your internal users. Because both the users and the DNS server are on the same interface, the "dns" option on the statics won't work, this only works if the PIX sees a DNS reply come through it, which it never will because the users and the DNS server are co-located.

To get this to work you need to configure destination-NAT, where the PIX will change the destination of the packet as it goes through it. Your internal users will do a DNS query for your web server, the DNS server will return the global address, and the PC will then attempt to connect to that address. When the PIX sees this address it changes it to the local address and sends it to the DMZ interface. The command to do this is as follows:

static (DMZ1,inside) d.d.d.12 WebServer netmask 255.255.255.255

Note the interface names are swapped around from a "normal" static ((lower,higher) instead of (higher,lower)). This tells the PIX that if it sees a packet on the inside interface destined for d.d.d.12, change the destination to WebServer (b.b.b.3) and send it to the DMZ1 interface.

98
Views
0
Helpful
1
Replies
CreatePlease login to create content