I have a pair of failover Pix 515e running software (8.02) and I have 6 interfaces. Outside, inside, inside2, DMZ1, DMZ2, failover.
DMZ2 contains our external DNS server that services DNS requests for our domain and several client's domains that we host. We recently moved a client's dedicated server to DMZ2 and now DNS doesn't work between that server and our DNS server because they are always looking to route to the external IP but they are on the same switch and interface of the Pix.
What I need to know is how can I either route the traffic so it doesn't try to go out and back in or some solution for servicing DNS requests to outside and locally differently. Any help is greatly appreciated.
I've read your post a few times and am still a little confused. Could you rephrase what the actual problem is?
Sure. I have an external DNS server on DMZ2 that services outside DNS requests. So a DNS request comes in for ourcompany.com and we reply with x.y.z.123 (an externally routable IP). That's all working as it should.
We recently moved a web/email server to DMZ2 so it's now in the same switch as the DNS server mentioned above and when it tries to query ourcompany.com to send email to us it fails because it is trying to connect to the outside IP of the server instead of the 10.0.x.x IP. How can I make this work?
If so, you should be able to accomplish this with hairpinning. This will allow the traffic to bounce off the DMZ2 interface and be destination nat'd.
If your mail server ip's are as follows...
public ip = x.y.z.123
private ip = 10.0.x.x
same-secrity-traffic permit intra-interface
static (DMZ2,DMZ2) x.y.z.123 10.0.x.x netmask 255.255.255.255
global (DMZ2) 10 interface
nat (DMZ2) 10 0 0
Let me know if that helps.
I added the statics for both systems on DMZ2:
static (DMZ2,DMZ2)x.y.z.123 10.0.x.123 netmask 255.255.255.255
static (DMZ2,DMZ2)x.y.z.8 10.0.x.8 netmask 255.255.255.255
And now I'm seeing deny errors, something about an ACL:
2 106001 10.0.x.8 x.y.z.123 Inbound TCP connection denied from 10.0.x.8/33773 to x.y.z.123/25 flags SYN on interface DMZ2
Here's what I think is relevent:
global (outside) 200 interface
global (inside) 200 interface
global (DMZ1) 200 interface
global (inside2) 200 interface
global (DMZ2) 200 interface
nat (inside) 200 192.168.x.0 255.255.0.0
nat (DMZ1) 200 10.0.x.0 255.255.255.0
nat (inside2) 0 access-list inside2_outbound_nat0_acl
nat (inside2) 200 10.0.x.0 255.255.255.0
access-list DMZ2_access_in extended permit tcp host 10.0.x.8 host any eq smtp
access-list DMZ2_access_in extended permit tcp host 10.0.x.123 host any eq smtp
access-list outside_access_in extended permit tcp any host x.y.z.8 eq smtp
access-list outside_access_in extended permit tcp any host x.y.z.123 eq smtp
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
access-group inside2_access_in in interface inside2
access-group DMZ2_access_in in interface DMZ2
static (DMZ2,outside) x.y.z.8 10.0.x.8 netmask 255.255.255.255
static (DMZ2,outside) x.y.z.123 10.0.x.123 netmask 255.255.255.255
static (DMZ2,DMZ2) x.y.z.8 10.0.x.8 netmask 255.255.255.255
static (DMZ2,DMZ2) x.y.z.123 10.0.x.123 netmask 255.255.255.255
I did not add same-security-traffic permit intra-interface because I'm not sure what that will do to the rest of my traffic. Is there a way to only apply that access to DMZ2 and not all interfaces?
I did not do nat (DMZ2) 200 0 0 what will that do?
same-security-traffic permit intra-interface should not affect other traffic. It only allows traffic to enter and exit the same interface, which is what this situation needs. The packet will arrive at the DMZ2 interface with a desination address of x.y.z.123. The destination nat statement will change that destination address to 10.0.x.123.
IMPORTANT QUESTION: I asked this before and you didn't answer. Is 10.0.x.123 also on DMZ2? If not, forget everything I put above.
From the look of your config if looks like 10.0.x.123 is on DMZ1?
If that is the case then you really only need...
static (DMZ2,DMZ1) x.y.z.8 10.0.x.8 netmask 255.255.255.255
static (DMZ2,DMZ1) x.y.z.123 10.0.x.123 netmask 255.255.255.255
Sorry, to answer your question yes both of these systems are on DMZ2. I will give this a try and let you know how it goes, thanks for your help so far!
OK, this is mostly working now, the only problem I have is with DNS queries. The error I get is:
(inspect-dns-invalid-pak) DNS Inspect invalid packet
I know it has something to do with DNS inspection but I'm not sure what. Here's my inspection config:
policy-map type inspect dns migrated_dns_map_1
message-length maximum 513
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
same-security-traffic permit intra-interface
and then I tweaked the ACLs and NAT rules accordingly and it is working for everything except DNS. But the DNS is not being dropped due to an ACL but rather this inspection error.