Internal DNS not working through PIX?

[TheStressFactor]

Hey all,

Just implemented a PIX515(6.2).My users cannot get out to the internet with the DNS IP provided by dhcp. The internal dns server is a w2k box. However, if i provide an external dns server it works perfectly fine. Is there something I need to provide in order to get my internal dns to resolve properly?

Below is my config...any help or insight would be great.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname marinofw1
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_outbound permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list acl_outbound permit ip any any
access-list acl_outbound permit icmp any host x.x.x.70
access-list acl_inbound permit ip any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group acl_outbound in interface outside
access-group acl_inbound in interface inside
outbound 1 permit 192.168.3.0 255.255.255.0 0 ip
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
: end

 

[gbiello]

This is most likely a Windows 200 problem, not a PIX issue. Go to the DNS mmc, right-click on the DNS server icon, and select 'properties'. Look at the 'Root-hints' and the 'Forwarders' tabs. If they have no IP addresses listed in either, that's your problem. You need to either configure the server with the root hints (Q249868), or enter your ISP's DNS servers as Forwarders. If these options are all dimmed out, it's becasue you have "." domain (Q229840). One further note, don't forget to set up Reverse-lookup domains. It will stop some non-fatal errors from appearing in your logs.

hope this helps,
-gbiello

 

[TheStressFactor]

Thanks for the suggestion but I tried this before and verified it again but still no progress...any other suggestions you can think of?

 

[gbiello]

You don't really need the acl_inbound access-list. I'd remove it.

You typically us an access-list bound to the outside interface only when you're opening ports to a static NAT'ed server, which I don't see.

I've also never had a reason to use the 'outbound' command.

Thus I would try removing the following lines from the config:
access-list acl_outbound permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list acl_outbound permit ip any any
access-list acl_outbound permit icmp any host x.x.x.70
access-list acl_inbound permit ip any any
access-group acl_outbound in interface outside
access-group acl_inbound in interface inside
outbound 1 permit 192.168.3.0 255.255.255.0 0 ip

Now I can't promise that would help you at all, but I can't see where it would hurt.

-gbiello

 

[TheStressFactor]

Dude thanks for the config suggestions..this is my first pix so please excuse my ignorance on it...anyways, I still cant get out using my internal dns entry...I wonder what the heck Im doing wrong? Any help or suggestions would be great..thanks.


Patrick

 

[gbiello]

Hey, no problem. If you can browse to a website using the ip address, NAT is working fine. Try

http://66.54.2.136

(=

http://www.foxnews.com).

If you can browse normally using the ISP's DNS servers, the firewall is passing DNS, and I saw nothing in the config blocking port 53, which would stop this.

I still think your trouble is with the Win2K server. Remember you need either root-hints or IP forwarders enabled. Try putting the 2K server outside the firewall for a minute. That would prove it's not the firewall.

good luck,
-gbiello

 

[TheStressFactor]

Ahhhh...you were right my friend...i Had originally changed the default server on my server to go to the pix however never rebooted(what a rookie mistake) so the change never took edffect..when i did an ipconfig/all on the server i noticed it had the old default gateway...once I rebooted the server..BAM...everything is working..thanks for opening up my eyes to where the should have been looking all along...thanks friend.

Patrick