Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with DNS.

Hi All

I hope some one can please help me with this.

Basically I've set up a new DMZ called dmz2. The servers in dmz2 are acting weird. Basically if I do a "dig" lookup using a DNS server in "dmz" I get a reponse. However, if I do a ping say to www.google.com I get a reply "host not found". It's like as though it can't contact the DNS server in "dmz".

I'm sure this is probably a config problem. Could someone please help me figure this out.

I've attached my config file for reference.

Thanks in advance

Dan

5 REPLIES
New Member

Re: Need help with DNS.

Hi !

Based on this policy

nameif ethernet2 dmz security50

nameif ethernet3 dmz2 security10

ip address dmz x.x.x.17 255.255.255.240

ip address dmz2 y.y.y.65 255.255.255.240

and considering that servers on dmz2 need connection to the servers on dmz, you will need a static statement.

Remember that in order to allow access from a Low security interface (dmz2) to a Hi security interface (dmz) you will need a static statement.

like this in case you dont need NAT

static (dmz,dmz2) x.x.x.17 x.x.x.17 netmask 255.255.255.240

like this in case you do need NAT

static (dmz,dmz2) y.y.y.??? x.x.x.??? netmask 255.255.255.255

Please let me know what you think.

New Member

Re: Need help with DNS.

Hello Dan,

I've looked into your config file, and it looks like you're missing a static to allow access from dmz2 to dmz. The security level of dmz2 is 10, while the security level of dmz is 50.

This means that you can go from dmz to dmz2 without any problem (you can always go from a higher security level to a lower), but the other way around you need to do that via the static command.

Depending whether you want to nat from dmz2 to dmz you can choose the static-commands.

the command

static (dmz,dmz2) y.y.y.64 y.y.y.64 netmask 255.255.255.240

should do the trick.

Check out the following documents at CCO:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19345362

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#42654

Hope this helps,

Pieter-Jan

New Member

Re: Need help with DNS.

Hi All

Thanks for your detailed replies, it's appreciated.

The problem I have is that one answer says:

No Nat

static (dmz,dmz2) x.x.x.17 x.x.x.17 netmask 255.255.255.240

like this in case you do need NAT

static (dmz,dmz2) y.y.y.??? x.x.x.??? netmask 255.255.255.255

While the other answer says:

static (dmz,dmz2) y.y.y.64 y.y.y.64 netmask 255.255.255.240

Which one of them is right, if I'm not using NAT?

Thanks again.

Dan

New Member

Re: Need help with DNS.

Hello Dan,

The trick is that if you leave the network address the same, you tell the pix to nat from the source address to the same address.

For eaxmple:

static (dmz,dmz2) 10.10.10.64 10.10.10.64 netmask 255.255.255.240

tells the pix to translate the network 10.10.10.64 to 10.10.10.64, resulting in not doing nat, but allowing access from a less secure network to a more secure network without natting between the networks.

Hope this helps,

Kind regards,

Pieter-Jan

New Member

Re: Need help with DNS.

Hello Dan

You can solve the problem of accessing a Hi security interface from a Low security interface

in two ways , one uses the addresses of the Hi security interface subnet in your case addresses

of the dmz , the other uses addresses of the low security subnet in your case the dmz2.

The first case :

static (dmz,dmz2) x.x.x.17 x.x.x.17 netmask 255.255.255.240

meaning

static (dmz,dmz2) dmz_subnet_IP dmz_subnet_IP netmask 255.255.255.240

an example with numbers

ip address dmz 192.168.120.254 255.255.255.0

ip address dmz2 192.168.130.254 255.255.255.0

static (dmz,dmz2) 192.168.120.0 192.168.120.0 netmask 255.255.255.0

This command means that to communicate with the servers on your dmz , your servers on the dmz2 will use

the original IP adresses on dmz like if there where NO NAT, they will use the original IP adresses of the servers

on the dmz like if there where no translation at all.

On the other hand the second option uses the static command as follows

static (dmz,dmz2) y.y.y.??? x.x.x.??? netmask 255.255.255.255

meaning :

static (dmz,dmz2) dmz2_subnet_IP dmz_subnet_IP netmask 255.255.255.255

an example with numbers :

ip address dmz 192.168.120.254 255.255.255.0

ip address dmz2 192.168.130.254 255.255.255.0

static (dmz,dmz2) 192.168.130.26 192.168.120.24 netmask 255.255.255.255

means that server 192.168.120.24 on dmz will appear to servers on dmz2 like having the IP address

192.168.130.26 (there is a translation).

IMHO the first option is better , because it keeps your addresses without change.

But it always depends on your particular situation and applications.

Hope this helps.

Please rate if this helps !

226
Views
5
Helpful
5
Replies