Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No DNS on my webserver in DMZ

Status
Not open for further replies.
mletschin

mletschin

Technical User
Nov 25, 2002
5
US
I have a NT 4 webserver IIS 4 inside my DMZ on FW 4.1. I have my main network on a 192 set and my dmz on a 10.10. The only rule that is set to apply to my webserver is that it allows http and http access form anywhere. And the same in the opposite direction. Any help would be great

Thanks
 
Sort by date Sort by votes
So your question is how to resolve in the dmz? Internal and external?
 
Upvote 0 Downvote
I need to be able to resolve the DNS for external in off of my webserver. I can get to IP of machines but if I try to ping or nslookup i get an unknown server
 
Upvote 0 Downvote
Can internal DNS resolve Internet addresses? If so, try adding rule from webserver in DMZ to internal DNS box for domain/tcp and domain/udp (port 53) only.
 
Upvote 0 Downvote
my understanding is this is an ARP problem even ng doesnt sem to solve this one as it wont resolve nat between internal interfaces without additional arp entries.
i cant help with the arp problem as i dont fully understand it.
but a fudge is to place an entry into your internal dns server with the internal ip address. i know this isnt what you are looking for but may help.
 
Upvote 0 Downvote
I don't host my DNS internal so I can't really do much other than edit my zone records...

What should I change in the local.arp for it to work...
 
Upvote 0 Downvote
at a guess ( i am learnig arp as i go)
in local.arp enter
webserver External NAT address and its mac address

e.g.
190.34.22.140 00:23:A3:23:23:83

or (as i say i am learning)
190.34.22.140 00:23:A3:23:23:83 10.10.123.1

I think the second is most likely as this is creating the NAT rule

then reboot this should create a static arp entry
so on the machine type
arp -a
and get a list of current arp references for your firewall

 
Upvote 0 Downvote
Sorry, I don't understand the problem. Either your web server can't reslove DNS as you don't have a rule that allows DNS from the DMZ, you can't resolve the IP address of your web server from inside your network or you can't reach your DMZ web server from the inside network using the global IP address. Not sure which it is??

Chris. **********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Pilora,

Your first guess was right for the static arp entry ..

190.34.22.140 00:23:A3:23:23:83

... to allow the firewall to ARP for another address not belonging to the firewall object. However, the entries in local.arp have nothing to do with NAT.

To NAT on FW-1 4.1 and previous you had to add a static route to the firewall. The reason for this was that when packets hit the outside of the firewall they would be routed before being NATed, so the firewall would need to know where to route them. You also need the NAT rule in the NAT rule base, of course.

So, to add a new rule to allow traffic to an object that would be NATed to an internal address you would have to create the object and the rule in the rule base, add and entry in local.arp to allow the firewall to ARP for that object, create the NAT rule in the rulebase (or use automatic NAT) and also put in a persistant static route to allow the firewall to route the packets to the correct interface before they are NATed.

On NG this works a bit differntly. Now the firewall NATs before it routes the packets to the static routes are no longer needed. Also, if using automatic NAT rules the arp enteries can be created automatically, negating the need for local.arp, unless you do manual NAT rules.

So, back to the original question. What is your problem?

"I need to be able to resolve the DNS for external in off of my webserver."

This doesn't make a whole lot of sense to me. Are you trying to allow the web server to do external DNS queries?

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
I will try to clear this up for youguys so you can help.

I have a webserver in my DMZ that will work fine on resolving DNS for any external source. I however can not see its actual website that it host through the DNS.

I am attempting to develop a app that uses the Microsoft SMTP server to send a email. I do not need to reply back to this email. It will not however resolve my main DNS(our company site which we host)

We do not host our own DNS it is hosted externally through UUNet. I can change our DNS tables and records.

Let me know if you have more questions that would help you answer me.
 
Upvote 0 Downvote
So you can't resolve the address of the web server through DNS? Have you spoken to the ISP that hosts your DNS records on their server. What's the URL?

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
I can resolve the URL normally.

or timesheet.emslab.com all work on most machines.

If I try to veiw timesheet.emslab.com on that machine which it hosts it will not let me. If I look through the IP on that machine it will work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
819
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
285
Sameer258
Sameer258
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
65
burtsbees
burtsbees
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
204
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
90
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top