Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring a DNS server on the PIX DMZ 2

Status
Not open for further replies.
omalpas

omalpas

Technical User
Aug 13, 2002
5
NZ
We have a DNS server which is used externally as well as internally.
Can we configure the PIX so that we can locate the DNS on the protected DMZ, so both the inside and outside can access it, or do we need to have the DNS server on the outside interface and use the alias command?
 
Sort by date Sort by votes
Hi, yes you can put the DNS server in dmz,
use static and access-list command, so from outside could access this dmz box and from inside by default it already have full access to the dmz.

 
Upvote 0 Downvote
HI.

Yes, you can and should put the DNS server in DMZ, and configure the pix. Here is a simple sample:
DNS server = 10.1.1.1

static (dmz,outside) x.x.x.x 10.1.1.1
global (dmz) 1 10.1.1.5
nat (inside) 1 0 0
(PAT for internal clients access, you can also use NAT instead)
access-list fromoutside permit udp any host x.x.x.x eq 53
access-list fromoutside permit tcp any host x.x.x.x eq 53
access-group fromoutside in interface outside


And no, you should NOT place your DNS server in the outside because you need to protect it.

However you can consider placing the DNS server in ISP server farm or delegate them to manage your registered domain and use your dns server internaly only.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I have a similar issue. I have the 3 port pix 515e. I want to put the DNS Server in the dmz (10.0.1.0) as well as the web servers. I can't seem to get DNS queries from the DNS server on the DMZ (10.0.1.25) out to the internet - nothing shows denied on syslog.

1.)
What do i have to have set to allow outbound DNS queries from the DMZ to the internet and allow the indound DNS queries for our hosted domains back out.
2.)
Is there a way for the pix to allow traffic from the 192.168.1.x (inside) network to ( using the external address (xx.xx.xx.80) mapped to the 10.0.1.80 address on the DMZ ?
eaxmple
The web sites would all have 10.0.1.x addresses mapped to out side ip (xx.xx.xx.xx) When a internal client on 192.168.1.0 tries to browse one of these sites they would type in that would resolve as xx.xx.xx.50, translate to 10.0.0.50. This doesn't work - is it suppose to ?


PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 101 permit udp any host XX.XX.XX.25 eq domain
access-list 101 permit tcp any host XX.XX.XX.25 eq domain
access-list 101 deny ip any any
access-list 103 permit ip host 10.0.1.25 any
access-list 103 permit udp any host XX.XX.XX.25 eq domain
access-list 103 permit tcp any host XX.XX.XX.25 eq domain
ip address outside XX.XX.XX.254 255.255.255.0
ip address inside 192.168.1.253 255.255.255.0
ip address dmz 10.0.1.254 255.255.255.0
global (outside) 1 XX.XX.XX.160-XX.XX.XX.180 netmask 255.255.255.0
global (outside) 1 XX.XX.XX.100 netmask 255.255.255.0
global (dmz) 1 10.1.0.7
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) XX.XX.XX.25 10.0.1.25 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
access-group 103 in interface dmz
 
Upvote 0 Downvote
HI.

> I can't seem to get DNS queries from the DNS server on the DMZ (10.0.1.25) out to the internet
I don't know why.
Since you mentioned that the pix does not seem to block that traffic, I suggst rechecking the server configuration (default gateway?),
and using syslog level 6 or debug commands on the pix to see what's going on.

I think that for a configuration like the one you have with public DNS and on the DMZ, it is best to use public registered IP addresses in DMZ with "nat (dmz) 0 0 0".
That way you will eliminate some of the problems mentioned.


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
738
Sameer258
Sameer258
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
259
acabezas2014
acabezas2014
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
552
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
171
Russtoleum
Russtoleum
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
174
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top