Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DSL with PIX 1

Status
Not open for further replies.
jphloyd

jphloyd

Programmer
Feb 26, 2002
3
US
This is my first experience with a cisco firewall. I have a small office with bellsouth dsl. I was using ICS for internet sharing, but have added some new equipment and wanted to put everything behind a good firewall, so I got the Pix 506. I have the DSL modem hooked into a Linksys DSL Router, then into the Pix and from the Pix into a Cisco Switch. I run static IP addresses on all of the machines. I have gotten as far as being able to ping any internet address from the inside machines, but cannot ping using the name. I also cannot get Internet Explorer to go to the page using the IP address. Any help or idea putting me in the right direction will help. Certainly I am not the first person to use this configuration.

Thanks in advance
James Floyd
 
Sort by date Sort by votes
Have you configured the client machines with at least two DNS server addresses in TCP/IP properties?

Chris. ************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Hi,

Did you permit the DNS access in the Cisco PIX firewall???

If not, you can do this with the access-list command permitting the tcp connaction at port 53.

Success!!!!

Aytac, CCNA
 
Upvote 0 Downvote
Provided that you haven't applied any outbound restricions, DNS should be allowed out anyway. The outgoing connection on port 53 will be allowed by ASA (higher security level to a lower security level) and an entry will be placed in the state table of the PIX for that connection, allowing the incoming reply back in. DNS Guard should ensure that the connection is closed after the first DNS server replies to the request. This is to make sure that no other UDP packets can get into your network on the "coat tails" of the genuine DNS reply.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Well, thanks for the responses, but I found that my problem was that I had enabled access lists for icmp for troubleshooting and that (i believe) shut down all other ports. I rewrote the configuration without any access list commands and was able to get to the internet using the DNS server address of my isp on the client machines. Now, however, I cannot get the clients to use my internal DNS server for my WIN 2K domain. For whatever reason, Windows is only using the first DNS server listed in tcp/ip properties. If i put the external DNS server first, I can resolve names on the internet, but not inside, and if I reverse the order of the DNS servers, I can resolve inside names, but not outside. Any ideas?

Again, thanks for the replies,
James Floyd
 
Upvote 0 Downvote
HI.

Configure all clients and servers to use the internal W2K DNS server.

Open the DNS console on the server and do the following:
* Delete the root zone, shown as a "." (period).
YES, delete it, it's ok.
This will tell the server that it is not a root server and will allow it to resolve external addresses using external DNS servers.

* Configure the DNS server with your ISP DNS servers as Forwarders. This can improve performance.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
EUREKA!!!

Yes, I just added a forward lookup zone to my internal DNS server to point to their DNS server and VOILA!! No reconfiguration was needed on any client machines.

Thanks so much

James Floyd
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
683
Sameer258
Sameer258
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
146
ISDPCMAN
ISDPCMAN
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
194
hairlessupportmonkey
hairlessupportmonkey
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top