Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT or DNS rewrite question

Status
Not open for further replies.
dtrobert

dtrobert

IS-IT--Management
May 10, 2004
18
US
Hi,
We're having an issue with DNS on our DMZ. Basically users on say phones on the Wifi network connect to our DMZ. When they lookup our mail server, they are getting the internal IP and not the public IP.

The strange thing is it appears, using a laptop to test, like the DNS server is actually returning our internal IP. For example, using nslookup on a Windows laptop on this same Wifi network returns the provider DNS (public) and our internal 10.x.x.x IP.

I'm wondering if I don't need a static NAT for my mail server on the (inside,dmz) but I still can't figure out why the DNS server appears to be returning the wrong IP.

Here are I think the relevant parts of my config. If anyone can help, I would greatly appreciate it.

Thanks


interface Ethernet0
nameif outside
security-level 0
ip address 10.20.0.10 255.255.255.192
ospf cost 10
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.252
ospf cost 10
!
interface Ethernet2
nameif dmz
security-level 4
ip address 192.168.2.1 255.255.255.0
ospf cost 10


dns domain-lookup outside
dns server-group DefaultDNS
name-server 64.71.0.34
name-server 64.71.0.60
name-server 64.105.172.26
name-server 64.105.172.27
domain-name default.domain.invalid

access-list dmz_nat0_outbound extended permit ip dmz-net 255.255.255.0 10.20.0.0 255.255.255.192

nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) mail-ext mail-int netmask 255.255.255.255

access-group outside in interface outside
access-group INSIDE-ACL in interface inside
access-group DMZ-ACL in interface dmz


 
Sort by date Sort by votes
I'm confused, if they are doing the lookup against your internal server then it will resolve to the internal ip address. Are you trying to say if they do a lookup against mail.example.com to a public dns server it returns your internal ip address? If so then I would check your external dns records.
 
Upvote 0 Downvote
It is the second case. The lookup is against the public dns but returning the internal ip. A query from outside the network (not dmz or inside) but directed at the same public dns returns the external ip.
 
Upvote 0 Downvote
Okay, I learned quite a bit.

1. It seems we are doing 2 NATs, one in the PIX and one in the router just outside the PIX.
2. It seems that a router outside our PIX is doing DNS rewrite such that the packets going from the external DNS are being rewritten to contain the first NAT IP (10.20.. between the PIX and router).

3. There is an ACL in the PIX which should permit access from the dmz to this first NAT IP (10.20..) but it's not being allowed, perhaps because the packet has to go from the DMZ to the outside PIX then be NATed back in. Or maybe there's some missing NAT on the reverse path.

Any ideas?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
576
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
620
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
575
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
111
steve777777
steve777777
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
134
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top