#### DNS Query #####

Discussion in 'Cisco' started by Still.myself, Sep 28, 2006.

  1. Still.myself

    Still.myself Guest

    NEED HELP ????

    Setup is as follows:-

    Internet---PIX----Cisco4500-----LAN

    I need LAN users to resolve internet DNS query using local DNS Server.

    On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    of our ISP to resolve Internet DNS. But it doesnt work ???

    Do I need to have a static NAT for DNS Server IP address on the PIX.

    Default-Gateway for DNS server is Cisco4500
    Default-Gateway for LAN Users is Cisco4500

    Servers are on different Subnet
    Users are on different subnet


    On Cisco4500 we have defined IP route to the PIX internal interface...

    Can someone please tell me What is wrong in the setup..

    Thanks
     
    Still.myself, Sep 28, 2006
    #1
    1. Advertising

  2. * Still.myself wrote:
    > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > of our ISP to resolve Internet DNS. But it doesnt work ???


    Did you allow TCP and UDP port 53?

    > Do I need to have a static NAT for DNS Server IP address on the PIX.


    This is not necessary.

    > Default-Gateway for DNS server is Cisco4500
    > Default-Gateway for LAN Users is Cisco4500


    Default-Gateway for the Cisco4500 is?
     
    Lutz Donnerhacke, Sep 28, 2006
    #2
    1. Advertising

  3. Still.myself

    Rohan Guest

    "Still.myself" <> wrote in message
    news:...
    > NEED HELP ????
    >
    > Setup is as follows:-
    >
    > Internet---PIX----Cisco4500-----LAN
    >
    > I need LAN users to resolve internet DNS query using local DNS Server.
    >
    > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > of our ISP to resolve Internet DNS. But it doesnt work ???


    Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    the outside.

    > Do I need to have a static NAT for DNS Server IP address on the PIX.


    In order to get to the internet the Internal DNS server needs to be a NAT'd
    to the public address so that the request can return.

    To view that the DNS server is getting through the ACL you should monitor
    the hitcount. That is a good first glance tool. Also turn on logging so
    you can see what's going on.

    >
    > Default-Gateway for DNS server is Cisco4500
    > Default-Gateway for LAN Users is Cisco4500
    >
    > Servers are on different Subnet
    > Users are on different subnet
    >
    >
    > On Cisco4500 we have defined IP route to the PIX internal interface...
    >
    > Can someone please tell me What is wrong in the setup..
    >
    > Thanks
    >
     
    Rohan, Sep 28, 2006
    #3
  4. In article <DcRSg.11129$>,
    "Rohan" <> wrote:

    > "Still.myself" <> wrote in message
    > news:...
    > > NEED HELP ????
    > >
    > > Setup is as follows:-
    > >
    > > Internet---PIX----Cisco4500-----LAN
    > >
    > > I need LAN users to resolve internet DNS query using local DNS Server.
    > >
    > > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > > of our ISP to resolve Internet DNS. But it doesnt work ???

    >
    > Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    > the outside.
    >
    > > Do I need to have a static NAT for DNS Server IP address on the PIX.

    >
    > In order to get to the internet the Internal DNS server needs to be a NAT'd
    > to the public address so that the request can return.


    I've never done much with PIX, but doesn't its ordinary dynamic NAT
    automatically allow packets back in that are in response to outgoing
    queries? I don't think you should need a static NAT for this, as long
    as you have the appropriate ACLs that allow the queries out.

    You only need a static NAT if you're operating a public DNS server (e.g.
    the SOA for your domain) on the LAN, and need to allow incoming queries.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Sep 28, 2006
    #4
  5. Still.myself

    Rohan Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <DcRSg.11129$>,
    > "Rohan" <> wrote:
    >
    >> "Still.myself" <> wrote in message
    >> news:...
    >> > NEED HELP ????
    >> >
    >> > Setup is as follows:-
    >> >
    >> > Internet---PIX----Cisco4500-----LAN
    >> >
    >> > I need LAN users to resolve internet DNS query using local DNS Server.
    >> >
    >> > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    >> > of our ISP to resolve Internet DNS. But it doesnt work ???

    >>
    >> Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    >> the outside.
    >>
    >> > Do I need to have a static NAT for DNS Server IP address on the PIX.

    >>
    >> In order to get to the internet the Internal DNS server needs to be a
    >> NAT'd
    >> to the public address so that the request can return.

    >
    > I've never done much with PIX, but doesn't its ordinary dynamic NAT
    > automatically allow packets back in that are in response to outgoing
    > queries? I don't think you should need a static NAT for this, as long
    > as you have the appropriate ACLs that allow the queries out.


    Well you need a NAT whether it's static or dynamic to the ISPs public
    address if you query from Internal to Internet

    Do you have ACL defined for DNS?

    Also how did you rule out that the internal DNS server is correctly
    configured for forwarding?

    >
    > You only need a static NAT if you're operating a public DNS server (e.g.
    > the SOA for your domain) on the LAN, and need to allow incoming queries.

    True but in this case you want Internal DNS to reach to external DNS on your
    ISPs


    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Rohan, Sep 28, 2006
    #5
  6. In article <fJRSg.11149$>,
    "Rohan" <> wrote:

    > "Barry Margolin" <> wrote in message
    > news:...
    > > In article <DcRSg.11129$>,
    > > "Rohan" <> wrote:
    > >
    > >> "Still.myself" <> wrote in message
    > >> news:...
    > >> > NEED HELP ????
    > >> >
    > >> > Setup is as follows:-
    > >> >
    > >> > Internet---PIX----Cisco4500-----LAN
    > >> >
    > >> > I need LAN users to resolve internet DNS query using local DNS Server.
    > >> >
    > >> > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > >> > of our ISP to resolve Internet DNS. But it doesnt work ???
    > >>
    > >> Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    > >> the outside.
    > >>
    > >> > Do I need to have a static NAT for DNS Server IP address on the PIX.
    > >>
    > >> In order to get to the internet the Internal DNS server needs to be a
    > >> NAT'd
    > >> to the public address so that the request can return.

    > >
    > > I've never done much with PIX, but doesn't its ordinary dynamic NAT
    > > automatically allow packets back in that are in response to outgoing
    > > queries? I don't think you should need a static NAT for this, as long
    > > as you have the appropriate ACLs that allow the queries out.

    >
    > Well you need a NAT whether it's static or dynamic to the ISPs public
    > address if you query from Internal to Internet


    You need to do that for ANY outbound traffic, you don't have to do
    anything special for the DNS server. That's what I meant by "its
    ordinary dynamic NAT". I haven't configured PIXes myself, but I assume
    this is the default behavior once you allow the traffic through with an
    ACL.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Sep 28, 2006
    #6
  7. Still.myself

    Still.myself Guest

    Thanks to all for their reply.
    I have opened the ports TCP and UDP 53 and has done a static NAT but
    still it doesnt work??

    Do I need any configuration on Cisco4500.

    I dont have default-Gateway set on Cisco4500 ; I dont have an ip route
    0.0.0.0 to PIX internal Interface. { Do I need the above }

    I have couple of VLANS configured on Cisco4500 with some static routes
    to different Stores




    Rohan wrote:
    > "Still.myself" <> wrote in message
    > news:...
    > > NEED HELP ????
    > >
    > > Setup is as follows:-
    > >
    > > Internet---PIX----Cisco4500-----LAN
    > >
    > > I need LAN users to resolve internet DNS query using local DNS Server.
    > >
    > > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > > of our ISP to resolve Internet DNS. But it doesnt work ???

    >
    > Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    > the outside.
    >
    > > Do I need to have a static NAT for DNS Server IP address on the PIX.

    >
    > In order to get to the internet the Internal DNS server needs to be a NAT'd
    > to the public address so that the request can return.
    >
    > To view that the DNS server is getting through the ACL you should monitor
    > the hitcount. That is a good first glance tool. Also turn on logging so
    > you can see what's going on.
    >
    > >
    > > Default-Gateway for DNS server is Cisco4500
    > > Default-Gateway for LAN Users is Cisco4500
    > >
    > > Servers are on different Subnet
    > > Users are on different subnet
    > >
    > >
    > > On Cisco4500 we have defined IP route to the PIX internal interface...
    > >
    > > Can someone please tell me What is wrong in the setup..
    > >
    > > Thanks
    > >
     
    Still.myself, Sep 28, 2006
    #7
  8. In article <>,
    "Still.myself" <> wrote:

    > Thanks to all for their reply.
    >
    > I have opened the ports TCP and UDP 53 and has done a static NAT but
    > still it doesnt work??
    >
    > Do I need any configuration on Cisco4500.


    If you don't have any filters on the Cisco, you shouldn't need to do
    anything special there.

    >
    > I dont have default-Gateway set on Cisco4500 ; I dont have an ip route
    > 0.0.0.0 to PIX internal Interface. { Do I need the above }


    Yes, you need the 0.0.0.0 route. If you don't have a default route, how
    do you get to the Internet for other protocols? This has nothing to do
    with DNS, it's basic network routing.

    >
    > I have couple of VLANS configured on Cisco4500 with some static routes
    > to different Stores
    >
    >
    >
    >
    > Rohan wrote:
    > > "Still.myself" <> wrote in message
    > > news:...
    > > > NEED HELP ????
    > > >
    > > > Setup is as follows:-
    > > >
    > > > Internet---PIX----Cisco4500-----LAN
    > > >
    > > > I need LAN users to resolve internet DNS query using local DNS Server.
    > > >
    > > > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    > > > of our ISP to resolve Internet DNS. But it doesnt work ???

    > >
    > > Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    > > the outside.
    > >
    > > > Do I need to have a static NAT for DNS Server IP address on the PIX.

    > >
    > > In order to get to the internet the Internal DNS server needs to be a NAT'd
    > > to the public address so that the request can return.
    > >
    > > To view that the DNS server is getting through the ACL you should monitor
    > > the hitcount. That is a good first glance tool. Also turn on logging so
    > > you can see what's going on.
    > >
    > > >
    > > > Default-Gateway for DNS server is Cisco4500
    > > > Default-Gateway for LAN Users is Cisco4500
    > > >
    > > > Servers are on different Subnet
    > > > Users are on different subnet
    > > >
    > > >
    > > > On Cisco4500 we have defined IP route to the PIX internal interface...
    > > >
    > > > Can someone please tell me What is wrong in the setup..
    > > >
    > > > Thanks
    > > >


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Barry Margolin, Sep 29, 2006
    #8
  9. Still.myself

    Rohan Guest

    "Still.myself" <> wrote in message
    news:...
    > Thanks to all for their reply.
    > I have opened the ports TCP and UDP 53 and has done a static NAT but
    > still it doesnt work??
    >
    > Do I need any configuration on Cisco4500.

    If there are no filters you do need any ACL configurations for that.

    >
    > I dont have default-Gateway set on Cisco4500 ; I dont have an ip route
    > 0.0.0.0 to PIX internal Interface. { Do I need the above }


    Yes in this case you will need it. How are others able to get out to the
    internet if there is no default route now?


    >
    > I have couple of VLANS configured on Cisco4500 with some static routes
    > to different Stores
    >
    >
    >
    >
    > Rohan wrote:
    >> "Still.myself" <> wrote in message
    >> news:...
    >> > NEED HELP ????
    >> >
    >> > Setup is as follows:-
    >> >
    >> > Internet---PIX----Cisco4500-----LAN
    >> >
    >> > I need LAN users to resolve internet DNS query using local DNS Server.
    >> >
    >> > On Network We have DNS-Server(Windows2003) which has an Forwarder Entry
    >> > of our ISP to resolve Internet DNS. But it doesnt work ???

    >>
    >> Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside to
    >> the outside.
    >>
    >> > Do I need to have a static NAT for DNS Server IP address on the PIX.

    >>
    >> In order to get to the internet the Internal DNS server needs to be a
    >> NAT'd
    >> to the public address so that the request can return.
    >>
    >> To view that the DNS server is getting through the ACL you should monitor
    >> the hitcount. That is a good first glance tool. Also turn on logging so
    >> you can see what's going on.
    >>
    >> >
    >> > Default-Gateway for DNS server is Cisco4500
    >> > Default-Gateway for LAN Users is Cisco4500
    >> >
    >> > Servers are on different Subnet
    >> > Users are on different subnet
    >> >
    >> >
    >> > On Cisco4500 we have defined IP route to the PIX internal interface...
    >> >
    >> > Can someone please tell me What is wrong in the setup..
    >> >
    >> > Thanks
    >> >

    >
     
    Rohan, Sep 29, 2006
    #9
  10. Still.myself

    Rohan Guest

    "Barry Margolin" <> wrote in message
    news:...
    > In article <fJRSg.11149$>,
    > "Rohan" <> wrote:
    >
    >> "Barry Margolin" <> wrote in message
    >> news:...
    >> > In article <DcRSg.11129$>,
    >> > "Rohan" <> wrote:
    >> >
    >> >> "Still.myself" <> wrote in message
    >> >> news:...
    >> >> > NEED HELP ????
    >> >> >
    >> >> > Setup is as follows:-
    >> >> >
    >> >> > Internet---PIX----Cisco4500-----LAN
    >> >> >
    >> >> > I need LAN users to resolve internet DNS query using local DNS
    >> >> > Server.
    >> >> >
    >> >> > On Network We have DNS-Server(Windows2003) which has an Forwarder
    >> >> > Entry
    >> >> > of our ISP to resolve Internet DNS. But it doesnt work ???
    >> >>
    >> >> Create an ACL to make sure UDP 53 and TCP 53 is opened from the inside
    >> >> to
    >> >> the outside.
    >> >>
    >> >> > Do I need to have a static NAT for DNS Server IP address on the PIX.
    >> >>
    >> >> In order to get to the internet the Internal DNS server needs to be a
    >> >> NAT'd
    >> >> to the public address so that the request can return.
    >> >
    >> > I've never done much with PIX, but doesn't its ordinary dynamic NAT
    >> > automatically allow packets back in that are in response to outgoing
    >> > queries? I don't think you should need a static NAT for this, as long
    >> > as you have the appropriate ACLs that allow the queries out.

    >>
    >> Well you need a NAT whether it's static or dynamic to the ISPs public
    >> address if you query from Internal to Internet

    >
    > You need to do that for ANY outbound traffic, you don't have to do
    > anything special for the DNS server. That's what I meant by "its
    > ordinary dynamic NAT". I haven't configured PIXes myself, but I assume
    > this is the default behavior once you allow the traffic through with an
    > ACL.


    Actually it's not a default behavior. You have to define what you want.


    >
    > --
    > Barry Margolin,
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***
     
    Rohan, Sep 29, 2006
    #10
  11. Still.myself

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    few questions ...

    can u reach internet from your DNS server ? try few pings to test this...

    if no , then provide internet access to your DNS server.

    Try doing a telnet "ISP-DNS-Server-ipaddress" 53 to check the connectivity.....u shouldn't get connection timeout .....
     
    swapnendu, Sep 29, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bonnesen
    Replies:
    9
    Views:
    7,245
    chris
    Apr 8, 2006
  2. none
    Replies:
    5
    Views:
    3,181
  3. Jose Padilla

    DNS question - reverse DNS getting cluttered

    Jose Padilla, Jan 21, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    584
    Jose Padilla
    Jan 21, 2004
  4. Replies:
    1
    Views:
    1,070
    Rohan
    Nov 18, 2006
  5. juska
    Replies:
    1
    Views:
    1,528
    hdeboo
    Nov 12, 2007
Loading...

Share This Page