Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS between two DMZ's

Status
Not open for further replies.
kerwinator

kerwinator

IS-IT--Management
Nov 11, 2002
9
US
Hey all, I am a firewall newbie. IT mgr out for a week and so I am trying to help our sql admin send emails from our production sql box. We have a PIX 515. We have a production sql box in dmz2 (SE15), and a production webserver which has dns in dmz1 (SE10). The smtp program on the sql box needs dns, so I am trying to open port 53 on dmz2. right now very limited ports are open (like 1433) between dmz 1 and 2.

This is what I tried which isn't working (a portscan doesn't show 53 open and program says dns is inaccessible)

access-list dmz2acl permit tcp host (webserver ip) host (sql server ip) eq domain
access-list dmz2acl permit udp host (webserver ip) host (sql server ip) eq domain
access-list dmz2acl permit tcp host (sql server ip) host (webserver ip) eq domain
access-list dmz2acl permit udp host (sql server ip) host (webserver ip) eq domain

I also tried adding those 4 entries for dmz1acl.

Anything obvious I am missing? Do I need to open any other ports?

TIA
 
Sort by date Sort by votes
Oh, forgot to add, with those four dmz2acl entries, I am able to do nslookup using the webserver ip address, and resolve hostnames.
 
Upvote 0 Downvote
HI.

You can use syslog messages - they will give you more info.

Please post more info or the full pix config (see the FAQ or this forum for tips).

The commands you posted above seem reasonable, but without more details I can't find what's wrong. However you need only 2 entries:
access-list dmz2acl permit tcp host (sql server ip) host (webserver ip) eq domain
access-list dmz2acl permit udp host (sql server ip) host (webserver ip) eq domain

Where webserver ip should be the private IP address of the server if it differs from the public IP.

What is the pix version?
What is the PDM version?

You can consider installing a caching DNS server on the SQL box itself.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
sql server is 192.168.11.2, webserver is 192.168.10.0-9

PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security5
nameif ethernet5 dmz4 security25
enable password nnnZt.G7iqOLzvzW encrypted
passwd vOMW7aY32w24mBGU encrypted
hostname amcorfwl01
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol rsh 514
no fixup protocol smtp 25
names
access-list dmz1acl permit udp 192.168.10.0 255.255.255.0 host 192.168.1.21 eq syslog
access-list dmz1acl permit udp 192.168.10.0 255.255.255.0 host 192.168.11.2 eq netbios-ns
access-list dmz1acl permit icmp any any
access-list dmz1acl permit tcp 192.168.10.0 255.255.255.0 host 192.168.11.2 eq 1433
access-list dmz1acl permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list dmz1acl permit tcp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz1acl permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list dmz1acl permit tcp 192.168.10.0 255.255.255.0 any eq smtp
access-list ipsec permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list dmz2acl permit udp 192.168.11.0 255.255.255.0 host 192.168.1.21 eq syslog
access-list dmz2acl permit udp host 192.168.11.2 host 192.168.1.16 range 5000 5020
access-list dmz2acl permit udp host 192.168.11.2 host 192.168.1.16 eq 135
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.1.16 range 5000 5020
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.1.16 eq 135
access-list dmz2acl permit udp host 192.168.11.2 host 192.168.1.55 range 5000 5020
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.1.55 eq 135
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.1.55 range 5000 5020
access-list dmz2acl permit udp host 192.168.11.2 host 192.168.1.55 eq 135
access-list dmz2acl permit icmp any any
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.1.4 eq smtp
access-list dmz2acl permit udp host 192.168.11.2 host 192.168.10.9 eq domain
access-list dmz2acl permit tcp host 192.168.11.2 host 192.168.10.9 eq domain
access-list outacl permit icmp any any
access-list outacl permit tcp any host xx.xx.xx.xx eq smtp
access-list outacl permit tcp any host xx.xx.xx.xx eq pop3
access-list outacl permit tcp any host xx.xx.xx.xx eq 1723
access-list outacl permit gre any host xx.xx.xx.xx
access-list outacl permit esp any host xx.xx.xx.xx
access-list outacl permit udp any host xx.xx.xx.xx eq isakmp
access-list outacl permit udp any host xx.xx.xx.xx eq 1701
access-list outacl permit tcp any host xx.xx.xx.xx eq www
access-list outacl permit tcp any host xx.xx.xx.xx eq 443
access-list outacl permit tcp any host xx.xx.xx.xx eq www
access-list outacl permit tcp any host xx.xx.xx.xx eq 443
access-list outacl permit udp any host xx.xx.xx.xx eq domain
access-list outacl permit tcp any host xx.xx.xx.xx eq domain
access-list outacl permit tcp any host xx.xx.xx.xx eq ftp
access-list outacl permit udp host xx.xx.xx.xx host xx.xx.xx.153 eq syslog
access-list outacl permit tcp xx.xx.xx.xx 255.255.0.0 host xx.xx.xx.xx range 8194 8294
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 8194 8294
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 8194 8294
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.128 host xx.xx.xx.xx range 8194 8294
access-list outacl permit tcp xx.xx.xx.xx 255.255.0.0 host xx.xx.xx.xx range 1025 6000
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 1025 6000
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 1025 6000
access-list outacl permit tcp xx.xx.xx.xx 255.255.255.128 host xx.xx.xx.xx range 1025 6000
access-list outacl permit udp xx.xx.xx.xx 255.255.0.0 host xx.xx.xx.xx range 48129 48192
access-list outacl permit udp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 48129 48192
access-list outacl permit udp xx.xx.xx.xx 255.255.255.0 host xx.xx.xx.xx range 48129 48192
access-list outacl permit udp xx.xx.xx.xx 255.255.255.128 host xx.xx.xx.xx range 48129 48192
access-list outacl permit tcp host xx.xx.xx.xx xx.xx.xx.xx 255.255.255.248 eq 1723
access-list outacl permit gre host xx.xx.xx.xx xx.xx.xx.xx 255.255.255.248
access-list ipsec2 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
logging standby
no logging console
no logging monitor
no logging buffered
logging trap debugging
no logging history
logging facility 20
logging queue 512
logging host inside 192.168.1.21
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside xx.xx.xx.xx 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.10.1 255.255.255.0
ip address dmz2 192.168.11.1 255.255.255.0
ip address dmz3 192.168.100.1 255.255.255.0
ip address dmz4 192.168.12.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
arp timeout 14400
global (outside) 1 xx.xx.xx.162-xx.xx.xx.249
global (outside) 1 xx.xx.xx.155
global (dmz1) 1 192.168.10.10-192.168.10.254 netmask 255.255.255.0
global (dmz2) 1 192.168.11.10-192.168.11.254 netmask 255.255.255.0
global (dmz3) 1 192.168.100.10-192.168.100.254 netmask 255.255.255.0
global (dmz4) 1 192.168.12.10-192.168.12.254 netmask 255.255.255.0
nat (inside) 0 access-list ipsec
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.xx 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.xx 192.168.1.6 netmask 255.255.255.255 0 0
static (dmz1,outside) xx.xx.xx.xx 192.168.10.2 netmask 255.255.255.255 0 0
static (dmz1,outside) xx.xx.xx.xx 192.168.10.3 netmask 255.255.255.255 0 0
static (dmz2,dmz1) 192.168.11.2 192.168.11.2 netmask 255.255.255.255 0 0
static (dmz1,outside) xx.xx.xx.xx 192.168.10.9 netmask 255.255.255.255 0 0
static (dmz1,outside) xx.xx.xx.xx 192.168.10.4 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.153 192.168.1.21 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.21 192.168.1.21 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.21 192.168.1.21 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.16 192.168.1.16 netmask 255.255.255.255 0 0
static (dmz4,outside) xx.xx.xx.xx 192.168.12.50 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.1.55 192.168.1.55 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.1.4 192.168.1.4 netmask 255.255.255.255 0 0
static (dmz3,outside) xx.xx.xx.250 192.168.100.100 netmask 255.255.255.255 0 0
static (dmz3,outside) xx.xx.xx.251 192.168.100.101 netmask 255.255.255.255 0 0
static (dmz3,outside) xx.xx.xx.252 192.168.100.102 netmask 255.255.255.255 0 0
static (dmz3,outside) xx.xx.xx.253 192.168.100.103 netmask 255.255.255.255 0 0
static (dmz3,outside) xx.xx.xx.254 192.168.100.104 netmask 255.255.255.255 0 0
access-group outacl in interface outside
access-group dmz1acl in interface dmz1
access-group dmz2acl in interface dmz2
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 192.168.2.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.26 /PIXConfig
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
service resetinbound
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address ipsec
crypto map mymap 10 set peer xx.xx.xx.xx
crypto map mymap 10 set transform-set myset
crypto map mymap 15 ipsec-isakmp
crypto map mymap 15 match address ipsec2
crypto map mymap 15 set peer xx.xx.xx.xx
crypto map mymap 15 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ipsecamchi$ address xx.xx.xx.xx netmask 255.255.255.255
isakmp key ipsecamsmo$ address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 28800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 45
ssh timeout 5
terminal width 100
Cryptochecksum:4f7974de33b69c742c875fdff74e43ad
amcorfwl01(config)#
 
Upvote 0 Downvote
I also looked at our syslogs and din't see anything, but I am not sure if that only monitors traffic coming in and out of the outside interface. My traffic is between two dmz's.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
165
burtsbees
burtsbees
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
170
ChrisHirst
ChrisHirst
RodneyMcSnow
  • Locked
  • Question
TZ400 -how to prevent dns attacks
Replies
2
Views
145
RodneyMcSnow
RodneyMcSnow
handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
107
handle2110
handle2110
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
174
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top