Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
6
Replies

PIX 501 ALIAS DNS issues

paarlberg
Level 1
Level 1

‎05-19-2006 12:25 PM - edited ‎02-21-2020 12:54 AM

I have 2 IP addresses from my provider, 1 is issued via PPPoE (static) the other is static as a NAMES. I am having issues with a Win2k DNS server behind the PIX communicating with a replication partner on the outside which is on a Win2k3 server. All intitiations must come from the win2k or zone transfers won't happen.

Also, I am having issues browsing from an internal system using the PPPOE address for NAT to the secondary IP on the external interface.

Below is my config. I think I cleaned all my VPN stuff out, but there might be something still there.

Any suggestions on how to best configure this?

I just received the second IP yesterday, prior to that DNS worked (as far as I can tell).

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxx

hostname xxx

domain-name baspnet.net

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.0 HOME

name 192.168.1.20 WEB01

name 99.x.x.103 pix_outside

name 99.x.x.72 WEB01_OUT

object-group service mailserv tcp

description US Hosting Server

port-object eq ftp

port-object eq pop3

port-object eq imap4

port-object eq www

port-object eq smtp

port-object eq 3389

port-object eq domain

object-group service MSDNS tcp-udp

port-object eq domain

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit tcp any object-group mailserv host WEB01_OUT object-group mailserv

access-list 101 permit udp any eq domain host WEB01_OUT eq domain

access-list outside_access_in permit tcp host WEB01_OUT host WEB01 object-group mailserv

access-list outside_access_in permit tcp any host WEB01_OUT object-group mailserv

access-list outside_access_in permit icmp any host WEB01_OUT

access-list outside_access_in permit tcp any host WEB01_OUT object-group MSDNS

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) WEB01_OUT WEB01 netmask 255.255.255.255 0 0

static (outside,inside) WEB01 WEB01_OUT dns netmask 255.255.255.255 0 0

access-group 101 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http HOME 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

telnet timeout 5

ssh HOME 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns WEB01

dhcpd wins 192.168.2.5

dhcpd lease 86400

dhcpd ping_timeout 1000

dhcpd domain baspnet.net

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

: end

0 Helpful
6 Replies 6

Fernando_Meza
Level 7
Level 7

‎05-20-2006 01:43 PM

Hi ... I think your access-list are not correct .. . you are currenty using 101 on the outside interface .. so you need to change as below to allow access to your internal server

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit tcp any host WEB01_OUT object-group mailserv

access-list 101 permit udp any host WEB01_OUT eq domain

Also you need ro remove the below static ... it does not make sense.

no static (outside,inside) WEB01 WEB01_OUT dns netmask 255.255.255.255

where is access-list outside_access_in used on your config ..?

Which is the access-list applied to the inside interface ..? it will need to be something like this.

access-list permit tcp host WEB01 any object-group mailserv

access-list permit tcp any any eq www

access-list permit tcp any any eq dns

access-list permit tcp any any eq 443

I hope it helps ... please rate it if it does !!

0 Helpful

paarlberg
Level 1
Level 1
In response to Fernando_Meza

‎05-20-2006 06:06 PM

Thanks for your info.. A little more info from my side.

I cleaned everything up and the access-list outside_access_in was removed.

The below ACL was based on info from Cisco's site for DNS doctoring.

static (outside,inside) WEB01 WEB01_OUT dns netmask 255.255.255.255

I have all my services back up except for DNS transfer from behind the PIX to a public server. I can't force a zone transfer from remotely.. It looks like all transfers are failing even at the record level.

I created a new object group for the DNS part..

access-list 101 permit udp any host USWEB01_OUT object-group NS (is a TCP-UDP group for "domain" only)

I would really like to use the lower part of your suggestion but it failed when trying to use it..

Thanks

0 Helpful

paarlberg
Level 1
Level 1

‎05-20-2006 06:25 PM

Here is my updated config without any of my VPN, etc...

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name priv.priv.priv.20 WEB01

name pub.pub.pub.103 pix_outside

name pub.pub.pub.72 WEB01_OUT

object-group service mailserv tcp

description US Hosting Server

port-object eq ftp

port-object eq pop3

port-object eq imap4

port-object eq www

port-object eq smtp

port-object eq 3389

object-group service NS tcp-udp

description Name Servers

port-object eq domain

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any host WEB01_OUT

access-list 101 permit tcp any host WEB01_OUT object-group mailserv

access-list 101 permit udp any host WEB01_OUT object-group NS

pager lines 24

logging console debugging

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside priv.priv.priv.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) WEB01_OUT WEB01 dns netmask 255.255.255.255 0 0

access-group 101 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http USHOME 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet timeout 5

console timeout 0

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to paarlberg

‎05-21-2006 01:51 AM

Hi .. for testing can yu change the below instruction to full one to one instead ..

no static (inside,outside) WEB01_OUT WEB01 dns netmask 255.255.255.255 0 0

clear xlate

static (inside,outside) WEB01_OUT WEB01 netmask 255.255.255.255

also can you try modifing your access-list entry from

access-list 101 permit udp any host WEB01_OUT object-group NS

access-list 101 permit udp any host WEB01_OUT eq 53

access-list 101 permit tcp any host WEB01_OUT eq 53

See how you go !!!

0 Helpful

paarlberg
Level 1
Level 1
In response to Fernando_Meza

‎05-21-2006 05:20 AM

I think the DNS portion is working. I am doing some zone transfers and other testing at the moment.

Now all I have left is to get the alias working..

Thanks..

0 Helpful

paarlberg
Level 1
Level 1

‎06-22-2006 08:18 AM

Can anyone help with the DNS rewrite portion. I cannot browse to an internal server using its mapped IP on the outside.

Internal: 192.168.1.x

Outside: 10.0.0.x

DNS server is on the same box with public IP addresses since it is replicating zone info to external servers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card