External DNS

[Mikecl]

Currently my internal users access the web through a Bay firewall, I have just installed a PIX, when I try and resolve web sites it fails. I would like to use the external dns same as before. Presumably I need to stop the PIX translating the internal to external address for the external dns server. I am using 5.3 has anyone got a part of a config that shows what needs to be done to get this to work.?

 

[ChrisAC]

The PIX should not stop you from resolving DNS. When your client PC connects out through the firewall it's internal address should be translated to a routeable live IP address. This will be the source address from the client/server connection to the DNS server. This doesn't affect the DNS server in any way.

The PIX uses ASA (Adaptive Security Algorithm)to maintain stateful information about outgoing connections. So, the outgoing connection to the DNS server will cause an entry to be placed in the state table. The incoming reply from the DNS server will be matched up with the state table entry and will then be allowed through to the client.

Could you provide an edited config?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Mikecl]

Thanks for the response

I have attached editied pix config I would have thought you would need some dns settings?



PIX Version 5.3(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
nameif ethernet3 dmz2 security40
nameif ethernet4 dmz3 security60
nameif ethernet5 failover security10

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list ping_acl permit icmp any any
access-list acl_out permit icmp any any
access-list acl_dmz2 permit icmp any any
access-list acl_dmz2 permit tcp host 140.1.3.201 host 140.3.2.201
access-list acl_dmz2 permit udp host 140.1.3.201 host 140.3.2.201
access-list acl_dmz2 permit icmp 140.1.3.0 255.255.255.0 host 140.1.26.21
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.1.26.21 eq www

access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.3.1.22 eq telne
t
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.3.2.200 eq teln
et
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.3.2.206 eq teln
et
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.1.49.32 eq teln
et
access-list acl_dmz2 permit udp 140.1.3.0 255.255.255.0 host 140.1.49.32
access-list acl_dmz2 permit udp 140.1.3.0 255.255.255.0 host 140.1.40.10
access-list acl_dmz2 permit udp 140.1.3.0 255.255.255.0 host 140.1.26.21
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.1.49.33
access-list acl_dmz2 permit udp 140.1.3.0 255.255.255.0 host 140.1.30.10 eq dnsi
x
access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.1.40.10 eq 139

access-list acl_dmz2 permit tcp 140.1.3.0 255.255.255.0 host 140.1.26.21 eq 139

access-list acl_dmz2 permit gre host 172.16.3.2 host 140.1.29.16
access-list acl_dmz2 permit tcp host 140.1.3.74 host 140.1.49.32
access-list acl_dmz2 permit tcp host 140.1.3.75 host 140.1.49.32
access-list acl_dmz2 permit tcp host 140.1.3.78 host 140.3.1.22
access-list acl_dmz2 permit udp host 140.1.3.78 host 140.3.1.22
access-list acl_dmz2 permit udp host 140.1.3.75 host 140.1.49.32
access-list acl_dmz2 permit udp host 140.1.3.74 host 140.1.49.32
access-list acl_dmz2 permit tcp host 140.1.3.79 host 140.1.49.32
access-list acl_dmz2 permit tcp host 140.1.3.68 host 140.1.49.33
access-list acl_dmz2 permit udp host 140.1.3.68 host 140.1.49.33
access-list acl_dmz2 permit tcp host 140.1.3.69 host 140.1.49.33
access-list acl_dmz2 permit udp host 140.1.3.69 host 140.1.49.33
pager lines 24
logging on
logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
logging trap debugging
no logging history
logging facility 20
logging queue 512
logging host inside 140.1.44.45
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu failover 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside 140.1.50.10 255.255.255.0
ip address dmz1 172.16.2.10 255.255.255.0
ip address dmz2 172.16.3.10 255.255.255.0
ip address dmz3 172.16.4.10 255.255.255.0
ip address failover 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside xxx.xxx.xxx.xxx
failover ip address inside 140.1.50.11
failover ip address dmz1 172.16.2.11
failover ip address dmz2 172.16.3.11
failover ip address dmz3 172.16.4.11
failover ip address failover 172.16.1.2
failover link failover
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.170-xxx.xxx.xxx.190 netmask 255.255.255.224
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz1) 1 172.16.2.20-172.16.2.230 netmask 255.255.255.0
global (dmz2) 1 172.16.3.20-172.16.3.230 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 194.6.96.3 140.1.49.25 255.255.255.255
static (inside,dmz2) 140.3.2.206 140.3.2.206 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.3.2.201 140.3.2.201 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.3.2.200 140.3.2.200 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.3.1.22 140.3.1.22 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.49.32 140.1.49.32 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.26.21 140.1.26.21 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.30.10 140.1.30.10 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.49.33 140.1.49.33 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.40.10 140.1.40.10 netmask 255.255.255.255 0 0
static (inside,dmz2) 140.1.29.16 140.1.29.16 netmask 255.255.255.255 0 0
access-group ping_acl in interface dmz1
access-group acl_dmz2 in interface dmz2
access-group ping_acl in interface dmz3
access-group ping_acl in interface failover
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.161 1
route inside 140.0.0.0 255.0.0.0 140.1.50.2 1
route dmz2 140.1.3.0 255.255.255.0 172.16.3.2 1
route dmz2 200.10.15.0 255.255.255.0 172.16.3.1 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 140.1.49.25 255.255.255.255 inside
telnet 140.1.29.21 255.255.255.255 inside
telnet 140.1.44.44 255.255.255.255 inside
telnet 140.1.44.45 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
terminal width 80

 

[ChrisAC]

Before we go any further with this, can you test connectivity to the outside. Try pinging some outside IP address. You will need to allow ping inbound on the outside interface to allow the icmp echo reply from the host you are pinging.

You need to be sure that you have basic connectivity and that NAT is working correctly before you get to specific services.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Mikecl]

I can ping from the external pix interface, also from a desktop I can get to web sites by using the ip address, using the

http://www names

IE fails to connect and resolve the name and I get the usual dns error.

 

[ChrisAC]

What DNS servers do you have set up in your TCP/IP settings???

At the moment I can't see anything in your PIX config that would stop DNS. You don't need to specifically allow DNS in for connections that are initiated from the inside. ASA takes care of that. So, you might be looking in the wrong place for the answer to this problem.

Check your TCP/IP settings and let me know!! We'll crack this one in the end!!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[dchp]

For kicks and grins, try allowing port 53(DNS) out to your ISP's DNS servers only. There is an implicit deny ip any any at the end of every access-list.

I usually put it in the access list so I can see the hit count.

 

[ChrisAC]

The access lists aren't the problem! There's no access-list inbound on the inside interface so the inside can connect to the outside and do anything!

access-group ping_acl in interface dmz1
access-group acl_dmz2 in interface dmz2
access-group ping_acl in interface dmz3
access-group ping_acl in interface failover

As I've already said, ASA lets connections from a higher security level (inside) to a lower security level (outside). An entry will be placed in the state table for the outgoing DNS request which will be matched to the incoming replies! So, from the config that you have supplied there is nothing blocking outgoing DNS or DNS replies! The question remains ... what's in your TCP/IP settings on either your PC's or proxy server??

Chris.

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[dchp]

I notice you are logging to an inside host. You might want to increase that level to a 13 temporarily, and try an nslookup from your workstation. That should tell you if the pix is interfering with the DNS lookup.

It is odd that it was working, and is now not with the pix. Have you changed the DNS setup on all of your workstations?

Has anything on the ISP side changed?

 

[Mikecl]

The Win9x pc's have the two external dns addresses there is no proxy server and they have a default route set to go via the internal pix address.