Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2093
Views
3
Helpful
24
Replies

PIX 501 DNS Resolution with static route

Go to solution
dylanvendlink
Level 1
Level 1

‎02-12-2004 04:14 AM - edited ‎02-20-2020 11:14 PM

I am using a pix 501.

I have an internal DNS server behind this pix that uses my ISPs DNS servers to resolve external domains.

I now want to host a web site from the same server.

In order to allow external access to the web server I add the following:

access-list outside_in_http permit tcp any host A.B.C.D eq www

static (inside,outside) A.B.C.D L.M.N.O netmask 255.255.255.255 0 0

access-group outside_in_http in interface outside

this is all well and good and allows web access. The problem is that the server can no longer resolve DNS queries.

How can I allow my server to resolve DNS again in a secure way. I imagine this is quite simple to achieve but I am having great difficulty in finding the solution.

thanks in advance

Dylan

0 Helpful
24 Replies 24

Go to solution
clark.d
Level 1
Level 1

‎02-16-2004 05:48 AM

Lets go to the beginning......from the server can you ping and outside device by IP only? Try this aaddres: 216.109.117.108.....does it reply?

0 Helpful

Go to solution
dylanvendlink
Level 1
Level 1
In response to clark.d

‎02-16-2004 06:16 AM

No. not from the server or any other internal ip address.

http does succeed from the server and ping does succeed from the outside interface in case these help.

0 Helpful

Go to solution
clark.d
Level 1
Level 1
In response to dylanvendlink

‎02-16-2004 06:32 AM

Can you ping inside interface from server? Is servers DG set to PIX inside address?

0 Helpful

Go to solution
dylanvendlink
Level 1
Level 1
In response to clark.d

‎02-16-2004 06:51 AM

yes on both counts

(assuming DG is default gateway)

0 Helpful

Go to solution
clark.d
Level 1
Level 1
In response to dylanvendlink

‎02-16-2004 06:42 AM

Add this to you access list to allow ping to outside but not from outside in....

access-list outside_acl permit icmp any any echo-reply

access-list outside_acl permit icmp any any time-exceeded

access-list outside_acl permit icmp any any unreachable

Go to solution
dylanvendlink
Level 1
Level 1
In response to clark.d

‎02-16-2004 07:28 AM

i can now ping the address you gave me.

i can also ping my isp's dns servers sucessfully

0 Helpful

Go to solution
clark.d
Level 1
Level 1
In response to dylanvendlink

‎02-16-2004 07:31 AM

On your server set dns IP to 67.38.230.69, then ping www.yahoo.com from command prompt....does that resovle?

0 Helpful

Go to solution
dylanvendlink
Level 1
Level 1
In response to clark.d

‎02-16-2004 08:44 AM

yes.

i added 67.38.230.69 at the top of the forwarders list and it seems to work fine.

0 Helpful

Go to solution
clark.d
Level 1
Level 1
In response to dylanvendlink

‎02-16-2004 08:52 AM

can you browser the web and everything OK now? The other clients, if pointed to server as DNS server should be working also....is this true?

0 Helpful

Go to solution
dylanvendlink
Level 1
Level 1
In response to clark.d

‎02-16-2004 09:42 AM

yes on all counts.

i have also checked it out with our back up server and that also is ok.

The incoming web stuff is also working properly.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card