Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot get traffic to flow into DMZ

Status
Not open for further replies.
loyalist

loyalist

MIS
Jun 25, 2003
69
CA
Hello,

Unable to get internal/external traffic into DMZ interface on PIX 515E 6.1(4). Have a cat3550 (Version 12.1(12c)EA1) with standard image directly connected to inside interface on pix. Three vlans/subnets on 3550, two vlans are for internal and one is for DMZ. Want to route internal vlans through 3550 to pix and then back into dmz vlan via pix. This should be possible however unable to get it to work and not sure if problem is 3550 or pix or combination of both. Vlans on 3550 have svi interface used as default gateway for users, then default route on 3550 to pix. This configuration currently works with just inside and outside interfaces by including dmz vlan traffic with internal traffic.

Essentially want users in uservlan1 & uservlan2 to access dmz via pix. DMZ vlan3 is directly connected to 3550. I want external users to be able to access web servers on dmz and dns server on inside.

Having problems moving traffic from internal interface to dmz, think problem is with nat and global. All traffic from inside is pat at external interface via :

global (outside) 1 interface
nat (inside) 1 10.100.50.0 255.255.255.0 0 0
nat (inside) 1 10.100.75.0 255.255.255.0 0 0
nat (inside) 1 10.100.100.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.100.50.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.100.75.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx 10.100.75.xxx netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route inside 10.100.75.0 255.255.255.0 10.100.150.10 1
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1

This configuration works using only the inside and outside interfaces, but want 10.100.75.0 subnet on DMZ and do not want to nat traffic between inside and dmz interfaces, however am willing to nat if I have to but can’t seem to get this to work either.
Have 2 web servers on dmz that need static translations to public addresses and internal dns server that needs to be accessible via internet as well. Have tried:

global (outside) 1 interface
nat (inside) 1 10.100.50.0 255.255.255.0 0 0
nat (inside) 1 10.100.100.0 255.255.255.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
static (inside,dmz ) 10.100.50.0 10.100.50.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.100.100.0 10.100.100.0 netmask 255.255.255.0 0 0
static (dmz,outside) xxx.xxx.xxx.xxx 10.100.75.xxx netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.xxx 10.100.75.xxx netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route dmz 10.100.75.0 255.255.255.0 10.100.75.1 1
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1


Like I said, the above config works with the 3550 as long as I only use the two pix interfaces, however to try and route the dmz vlan through the 3550 I remove the svi interface(interface vlan75, 10.100.75.1) just to prevent the 3550 from moving the traffic to that subnet from within the switch and force it to go to the pix via the default gateway. Add an interface( switchport access vlan 75) on the 3550 to vlan75 that is directly connected to the pix dmz interface(which I reip to be 10.100.75.1). Just to be sure I add a route to the 3550 specifying 10.100.75.0 255.255.255.0 via the inside interface on the pix and add route dmz 10.100.75.0 255.255.255.0 10.100.75.1 1 to the pix. When I do this I can ping the .75.0 subnet from the pix but not from the 3550 or any workstations and for that matter when I do a show xlate or show log on the pix I don’t see anything referring to that subnet at all.

One other question, in my current two interface configuration I can’t seem to get dns traffic into the internal dns server, access list statement I have for this server is

Access-list 20 permit udp any host dnsserver eq domain

Am I missing something here, tried adding statement for tcp eq domain and this didn’t work either.

Any and all help is more than welcome. Please let me know if you need more information or more of the config.

Thanks,

Loyalist



 
Sort by date Sort by votes
You still need the vlan75 specification in your 3550, but don't give it an IP address. Then plug your PIX dmz connection into that vlan75, then plug another machine in there and see if your PIX can ping the machine. If so...

Write an access list to allow ip and icmp packets from anywhere to get to the 10.100.75.0 subnet. Something like:

access-list dmz permit ip any any
access-list dmz permit icmp any any
access-group dmz in interface dmz

Also, it would help if you post your whole config, minus your public ip addresses. Believe it or not, we are running here exactly like you want to run...same hardware and everything.
 
Upvote 0 Downvote
Thanks bwilliam13, in regards to leaving the vlan interface on the 3550 without the ip address, I have been doing that and just taking it's address 10.100.75.1 and putting it onto the pix dmz interface, which puts it in the same subnet as the vlan. I can successfully ping the dmz interface and the dmz servers from the pix but can't reach them from the 3550 or a workstation in another vlan. I have been doing all the testing with an permit ip any any access list on all three pix interfaces. I think the problem is with the global and nat statements for the dmz interface, but not sure.

Here are the complete configs off the pix and 3550

Current configuration : 4490 bytes
!
!
!
version 12.1
no service single-slot-reload-enable
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname 3550
!
logging buffered informational
no logging console
enable secret 5 xxxxxxxxxx
!
clock timezone xxxx
!
vlan access-map map_1 10
action drop
match ip address xxxxxxxxx
ip subnet-zero
no ip source-route
ip routing
no ip domain-lookup
!
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
description connected to dmz_server
switchport access vlan 75
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/2
description connected to dmz_server
switchport access vlan 75
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/3
description connected to DMZ int PIX
no switchport
ip address 10.100.150.18 255.255.255.248
This is the interface I use to connect to the dmz interface on the pix, I have it ip'd now
as it was originally when I was using a seperate subnet to connect the pix to the 3550 for
this interface. This didn't work, now when trying to get things to work, I take the ip
address off it and add switchport and then add it to vlan 75 via switchport access vlan 75.
!
interface FastEthernet0/4
description trunk to 2950
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
duplex full
speed 100
!
interface FastEthernet0/5
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/6
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/7
description temp connect to load balancer
switchport access vlan 50
no ip address
!
interface FastEthernet0/8
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/9
no ip address
!
interface FastEthernet0/10
no ip address
!
interface FastEthernet0/11
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
no ip address
!
interface FastEthernet0/13
description connected to user
switchport access vlan 100
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/14
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/15
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/16
no ip address
!
interface FastEthernet0/17
description connected to user
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet0/18
no ip address
!
interface FastEthernet0/19
description connected to server
switchport access vlan 125
no ip address
spanning-tree portfast
!
interface FastEthernet0/20
no ip address
!
interface FastEthernet0/21
description connected to server
switchport access vlan 125
no ip address
spanning-tree portfast
!
interface FastEthernet0/22
description connected to dmz_server
switchport access vlan 75
no ip address
!
interface FastEthernet0/23
description connected to inside int PIX 10.100.150.9
no switchport
ip address 10.100.150.10 255.255.255.248
duplex full
speed 100
!
interface FastEthernet0/24
no switchport
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
ip address 192.168.1.252 255.255.255.0
!
interface Vlan25
ip address 10.100.25.1 255.255.255.0
no ip route-cache
!
interface Vlan50
ip address 10.100.50.1 255.255.255.0
ip helper-address 10.100.150.254
no ip route-cache
!
interface Vlan75
ip address 10.100.75.1 255.255.255.0
no ip route-cache
This is the svi for vlan 75, all I do here is remove the address and leave the interface
designation. I put this address on interface dmz on the pix.
!
interface Vlan100
ip address 10.100.100.1 255.255.255.0
ip helper-address 10.100.50.254
no ip route-cache
!
interface Vlan125
ip address 10.100.125.1 255.255.255.0
no ip route-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.150.9
I add a route here just to be sure that the traffic knows how to get to the .75.0 subnet,
however I don't feel it should be neccessary because without the svi all the traffic
leaving that subnet should take the default route to the pix. The route I add is
"ip route 10.100.75.0 255.255.255.0 10.100.150.9"
no ip http server
!
ip access-list extended dev_server
permit ip 10.100.25.0 0.0.0.255 10.100.125.0 0.0.0.255
permit ip 10.100.50.0 0.0.0.255 10.100.125.0 0.0.0.255
permit ip 10.100.75.0 0.0.0.255 10.100.125.0 0.0.0.255
This is from a vlan map I was trying to create to limit traffic into vlan 125, not working
correctly, will fix it later.
!
!
no cdp run
!
line con 0
password 7 100A38483A3B13095941
line vty 0 4
exec-timeout 0 0
password 7 15563A5D3B062A267D76
login
line vty 5 15
password 7 074B101D712518074257
login
!
!
monitor session 1 source interface Fa0/23
monitor session 1 source vlan 100 , 125 rx
monitor session 1 destination interface Fa0/24
end


PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
enable password xxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname xxxxx
domain-name xxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.100.75.12 dmz_server_no_outside_access_required
name 10.100.50.62 user
name xxx.xxx.xxx.xxx dmz_webserver1
name xxx.xxx.xxx.xxx internal_dnsserver
name xxx.xxx.xxx.xxx dmz_webserver2
access-list 20 permit tcp any host dmz_webserver1 eq 443
access-list 20 permit tcp any host dmz_webserver1 eq www
access-list 20 permit tcp any host dmz_webserver1 eq 22
access-list 20 permit tcp any host dmz_webserver2 eq www
access-list 20 permit tcp any host dmz_webserver2 eq 443
access-list 20 permit tcp any host internal_dnsserver eq 443
access-list 20 permit tcp any host internal_dnsserver eq www
access-list 20 permit tcp any host internal_dnsserver eq 22
access-list 20 permit udp any host internal_dnsserver eq domain
access-list 20 permit tcp any host dmz_webserver2 eq 22
access-list 10 permit ip any any
pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 10.100.150.9 255.255.255.248
ip address dmz 10.100.150.17 255.255.255.248(this changes to 10.100.75.1/24)
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.50.0 255.255.255.0 0 0
nat (inside) 1 10.100.75.0 255.255.255.0 0 0(change to nat (dmz) 1 ?????????????)or do I need a nat statement at all for this interface, at first did a global(dmz)1 10.100.75.100-10.100.75.150 however this didn't work either.
nat (inside) 1 10.100.100.0 255.255.255.0 0 0
static (inside,outside) internal_dnsserver 10.100.50.254 netmask 255.255.255.255 0 0
static (inside,outside) dmz_webserver1 10.100.75.11 netmask 255.255.255.255 0 0(change to
static dmz,outside)
static (inside,outside) dmz_webserver2 10.100.75.10 netmask 255.255.255.255 0 0(change to
static dmz,outside)
access-group 20 in interface outside(apply access-group 10, permit ip any any when testing)
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route inside 10.100.75.0 255.255.255.0 10.100.150.10 1(change this to route dmz 10.100.75.0
255.255.255.0 10.100.75.1)
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http user 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet user 255.255.255.255 inside
telnet user 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:173a13051dfea2aa2e620c8f9d83e533
PIX#

I have made so many changes and tried so many different things over the past couple of days, feel it's just a matter of getting the right combination and everything should work. Just struggling to find this "magic combo".

BTW, do you see anything wrong with my access list 20 in regards to DNS, for some reason no DNS traffic is getting in, or at least it's getting in but not getting back out(I see hits on that access list statement but it's not working correctly), do I need another access list statement on the inside interface for this?

Thanks for your help,

Loyalist
 
Upvote 0 Downvote
What happens when you try and ping something in the DMZ from the 3550?
 
Upvote 0 Downvote
I notice you don't have separate access lists for each interface. Here's an excerpt from our PIX:


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 unused1 security10
nameif ethernet3 dmz1 security40
nameif ethernet4 unused3 security60
nameif ethernet5 VPN security10
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz1 in interface dmz1
access-list acl_outside permit tcp xxx.xxx.xxx.191 any eq www
access-list acl_inside permit ip any any
access-list acl_inside permit icmp any any
access-list acl_dmz1 icmp any any
ip address outside xxx.xxxx.xxx.130 255.255.255.128
ip address inside 10.1.0.129 255.255.0.0
ip address dmz1 10.0.2.129 255.255.255.0
global (outside) 5 xxx.xxx.xxx.191
global (dmz1) 1 interface
nat (inside) 5 10.1.0.0 255.255.0.0 0 0
nat (dmz1) 5 10.0.2.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
timeout xlate 0:05:00
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 10.1.90.0 255.255.255.0 inside
ssh 10.1.5.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.255.0 inside
ssh timeout 15


This is the basic config we started with. It has 3 specific access lists for the 3 interfaces. The internet router is .129. The inside router to the inside network is 10.1.0.130. The NIC of the inside interface of the PIX is 10.1.0.129. The dmz interface of the pix is 10.0.2.129. xxx.xxx.xxx.191 is a global PAT for outgoing NAT. xxx.xxx.xx.130 is the external interface of the PIX.

With this config, anyone on the inside can surf the net via www, anyone on the inside can access the DMZ by all IP/ICMP protocols and ports, and any machine in the DMZ can ping any machine on the inside interface.

I would fill in the missing rules in your PIX's ruleset and see if it makes a difference. Right now I see you only have one access list covering all interfaces of the PIX. That's alright to do on a system with just 2 interfaces, but when you start using more than 2, it gets to be a bitch to debug if you cannot separate rulesets/access lists from one another. I would make separate access lists for each interface to clear things up a bit.
 
Upvote 0 Downvote
HI.

Keep it simple.
Is it applicable for you to use a dedicated switch for DMZ, instead of a specific VLAN?
It can make configuration, management and troubleshooting tasks more easy, and therefor more secure and reliable.
In addition, such seperation reduces the possible attack surface.

From the original post:
> Vlans on 3550 have svi interface used as default gateway for users
But what is the default gateway of DMZ hosts?
It should be the DMZ interface of the pix, and not the IP of the switch.

As a general tip - use logging on the pix (level 4 for denied traffic, or level 6 for allowed+denied traffic).
Syslog messages will give you valuable info for troubleshooting.
Some debug commands on the switch can help you complete the picture.

I didn't follow the all the posts above so maybe I missed something, but a simple configuration for allowing traffic from inside to both dmz and outside is like this:
nat (inside) 1 0 0
global (dmz) 1 x.x.x.x //OR: global (dmz) 1 interface
global (outside) 1 x.x.x.x //OR: global (outside) 1 interface

Note the use of the same "nat ID" in all "global" statements.


Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the input and I feel the pix is now correctly configured however the problem appears to be with the routing on the 3550, no matter what I do when I try and send traffic from the 3550 to the dmz vlan it stays local on the switch and will not go via the pix. I have removed the address from the interface vlan and even removed the interface and added a route for that network to go through the pix and still when I do an extended traceroute on the 3550 I see the traffic going directly to the vlan on the 3550, it does not leave the switch. This is why I don't see any translations on the pix for the dmz, the traffic never gets there! Wonder if putting another layer 3 interface on the 3550 and addressing it in the same subnet as the dmz vlan will force it to go out that interface?? Think Yizhar is correct in saying it would be much easier with an additional switch however I don't have one currently available so I need to make this configuration work. Bwilliam13 aren't you using a 3550 the same way I am, how are you making the traffic flow properly.
 
Upvote 0 Downvote
Well, something's funky with your 3550 switch config I think. If you don't specify an IP address or any routing for that VLAN, it should act like another switch...that's the whole purpose of VLANs. I don't think using another switch simplifies anything...it just takes your routing problem out of the equation. Upon first look, I cannot see why your traffic is flowing straight from one VLAN to another...it shouldn't be...we know this...and I know it's possible to use one switch for every VLAN--DMZ included--because it's the same setup we have. We're using the 3550 as a layer-3 routing switch and it works like you want it to.

I did not have time to look at the config of our 3550 before I left work yesterday...Monday morning I will.
 
Upvote 0 Downvote
I have finally gotten the traffic to flow properly, it looks like the arp cache wasn't clearling on the 3550. I rebooted the 3550 to clear the arp and then was able to see the traffic flowing into the pix. From there I could see in the logs that the traffic wasn't getting to the dmz interface because there was no translation configured on the inside interface for the subnet that connected the 2 devices. Added a nat statement for that subnet and everything worked fine. Strange because traffic was always able to get outside without a nat statement for this subnet.

Still have one remaining issue, when an external dns server on the outside queries our dns server on the inside the update does not get back out. I can see the udp traffic come in but nothing gets back out. Our dns server works fine for us internally and it is able to get updates from outside dns servers. Have put permit ip any any access-lists on both inside and outside interfaces to ensure that the current access-lists aren't the problem and it still doesn't work.

Any thoughts??
 
Upvote 0 Downvote
Can you post your current config of the PIX with everything working except the DNS thing?

Don't you need to have an access list applied to allow UDP port 53 to the dns server? I don't see that in your previous config anywhere. You need to allow it on the outside interface as well as the inside. All the static command does is map the inside address to the outside. It's still up to an access list to specifically allow access to a certain port or protocol on the external interface or ip address.

Are you talking just DNS queries or actual updates and domain transfers?
 
Upvote 0 Downvote
The dns server is not responding to queries from outside. It does work internally and forwards queries to external dns servers however when one of the external dns server attempts to query ours I can see the traffic come in, see the translation, however nothing comes back out. It just disappears. I did add access-list statements for domain on my inside interface this morning, and added a statement for tcp domain traffic to my outside interface and it still wouldn't work.

Here is my config:

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
enable password ePHljFUCIEVyOBzQ encrypted
passwd mKjpNR.iP.gTbXrV encrypted
hostname pix
domain-name pix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.100.75.12 dmz_server_no_public_access
name 10.100.50.62 user
name xxx.xxx.xxx.xxx dmz_webserver1
name xxx.xxx.xxx.xxx internal_dns_server
name xxx.xxx.xxx.xxx dmz_webserver2
access-list 20 permit tcp any host dmz_webserver1 eq 443
access-list 20 permit tcp any host dmz_webserver1 eq www
access-list 20 permit tcp any host dmz_webserver1 eq 22
access-list 20 permit tcp any host dmz_webserver2 eq www
access-list 20 permit tcp any host dmz_webserver2 eq 443
access-list 20 permit tcp any host internal_dns_server eq 443
access-list 20 permit tcp any host internal_dns_server eq www
access-list 20 permit tcp any host internal_dns_server eq 22
access-list 20 permit udp any host internal_dns_server eq domain
access-list 20 permit tcp any host dmz_webserver2 eq 22
access-list 20 permit tcp any host internal_dns_server eq domain
access-list 10 permit ip any any
access-list 10 permit icmp any any
access-list 10 permit udp host internal_dns_server any eq domain
access-list 10 permit tcp host internal_dns_server any eq domain
access-list dmz permit icmp any any
access-list dmz permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered informational
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 10.100.150.9 255.255.255.248
ip address dmz 10.100.75.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.100.150.8 255.255.255.248 0 0
nat (inside) 1 10.100.25.0 255.255.255.0 0 0
nat (inside) 1 10.100.50.0 255.255.255.0 0 0
nat (inside) 1 10.100.100.0 255.255.255.0 0 0
nat (dmz) 1 10.100.75.0 255.255.255.0 0 0
static (inside,outside) internal_dns_server 10.100.50.254 netmask 255.255.255.255 0 0
static (dmz,outside) dmz_webserver1 10.100.75.10 netmask 255.255.255.255 0 0
static (dmz,outside) dmz_webserver2 10.100.75.11 netmask 255.255.255.255 0 0
access-group 20 in interface outside
access-group 10 in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http user 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet user 255.255.255.255 inside
telnet user 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:01c4262dbf4da3b09a3a39b66fcda3b6
 
Upvote 0 Downvote
Did you do a clear xlate? i noticed that your xlate timeout is 1 hour.

Is your DNS server set to resolve queries from the outside? Sometimes that functionality is set on the DNS server itself. In BIND, it's the directive called "match-clients".

Also, shouldn't the access-list for external match that of internal? Example:

You have:

access-list 10 permit udp host internal_dns_server any eq domain
access-list 10 permit tcp host internal_dns_server any eq domain

I believe it should read (for requests originating from outside):

access-list 10 permit udp any host internal_dns_server eq domain
access-list 10 permit tcp any host internal_dns_server eq domain

Otherwise, the query will stop at the translation...then the firewall will drop it because you're not letting "any host" query the internal server...you're only letting internal clients.
 
Upvote 0 Downvote
I clear xlate every time I do a config change. The reason I made the access list on the inside interface opposite is because the source and destination are different from the interface's perspective. On the outside I want anyone to be able to access the server inside, on the inside I only want that server to reply to anyone making the request. Anyway, I made an new access-list to try your theory and it still isn't working. In fact I have tried just about every combination in the access list because I was thinking it has something to do with the translations. We were doing tcp dump and interestingly we see the inbound dns request and we see the reply from our server and then the external client sends back a port unreachable using icmp???? Ever hear of this?
 
Upvote 0 Downvote
HI.

> and then the external client sends back a port unreachable using icmp????
This is probably a REJECT action from the firewall on the remote side (Either a firewall on the same remote DNS machine like IPTABLES or a firewall between remote DNS server and your pix).
You should contact the remote DNS server administrator to ask for more info and try to troubleshoot together. Checking the firewall logs at remote side can help.

This page may help you understand the DNS guard of the pix:

Try to use a workstation connected to the Internet (not via the pix), and configured with your DNS server as primary and only DNS server. Can it resolve names?
This test can help you troubleshoot.


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
775
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
161
ISDPCMAN
ISDPCMAN
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
180
Russtoleum
Russtoleum
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
160
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top