cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
534
Views
0
Helpful
3
Replies

PIX 501 and WIN2k DNS servers.

thomasw
Level 1
Level 1

Hi form

Can you have both DNS servers (primary and secondary) on the inside interface of the PIX firewall with a private IP scheme (192.168.x.x) ?

I have trying to do this but the DNS server are timing out when resolving name to IP address resolution – not going beyond the PIX.

I have setup conduits for UDP & TCP domain but it is not working

I configured static NATs for the two DNS servers.

Thanks

Thomas

3 Replies 3

jasobrown
Level 1
Level 1

There is no reason that this can't work .. I am not sure exactly what your issue is tho ....?

Do you have Primary and Secondary DNS servers that are authoritive servers for you domain on the inside network and you are trying to query a FQDN for you domain from the internet (ie www.yourdomain.com)? The only thing that you would need is to have a static and access-list (conduit).

Regards,

Jason Brown

CCIE #10833

Philip D'Ath
VIP Alumni
VIP Alumni

If I had to take a guess, I would check to make sure you don't have a root (aka ".") domain defined. If you did, then the DNS servers would consider themselves to be the entire Internet, and not bother trying to query the real root servers.

If you do have a root domain defined, delete it. Then configure forwarders to point to your ISPs name servers.

hint: If you are unable to configure forwarders, then you definately have a root domain defined.

Hi all

I have found the answer in the PIX FAQs. Thanks for you help.

Thomas

If you have your own DNS server inside your network, this obviously won't work because the DNS lookup never transverses the PIX, so there's nothing to fix. In this case, configure you local DNS accordingly or use local 'hosts' files on your PC's to resolve this name. The other option is actually better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC1918 numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router will receive this packet and route it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: