Name resolution from inside DMZ

Discussion in 'Cisco' started by dexteroc, Jan 9, 2007.

  1. dexteroc

    dexteroc Guest

    I searched on this topic and found a bunch of stuff relating to DNS but
    nothing that matched my situation exactly. I'm on pix 515 version
    6.3.3 and I have three interfaces which are inside, outside and dmz. I
    have a web server in the dmz and up until now, only inbound traffic was
    allowed. However with a new software package, we need the web server
    to be able to resolve names and get back out onto the internet. I
    configured the firewall to allow outbound traffic and it worked with an
    access list and a nat statement but there is no name resolution. I can
    telnet or web to IP's but not to names. I have two DNS servers
    internally that I can route the queries to which is what I want to do
    if possible. Any ideas on how to set this up? I can post my config if
    necessary.

    Thanks,

    Paul
    dexteroc, Jan 9, 2007
    #1
    1. Advertising

  2. dexteroc

    chris Guest

    "dexteroc" <> wrote in message
    news:...
    >I searched on this topic and found a bunch of stuff relating to DNS but
    > nothing that matched my situation exactly. I'm on pix 515 version
    > 6.3.3 and I have three interfaces which are inside, outside and dmz. I
    > have a web server in the dmz and up until now, only inbound traffic was
    > allowed. However with a new software package, we need the web server
    > to be able to resolve names and get back out onto the internet. I
    > configured the firewall to allow outbound traffic and it worked with an
    > access list and a nat statement but there is no name resolution. I can
    > telnet or web to IP's but not to names. I have two DNS servers
    > internally that I can route the queries to which is what I want to do
    > if possible. Any ideas on how to set this up? I can post my config if
    > necessary.
    >
    > Thanks,
    >
    > Paul
    >


    Maybe posting the config will help. How is the web server configured for DNS
    resolution? Internal DNS or ISP DNS?

    Chris.
    chris, Jan 9, 2007
    #2
    1. Advertising

  3. dexteroc

    dexteroc Guest


    >chris wrote:


    > Maybe posting the config will help. How is the web server configured for DNS
    > resolution? Internal DNS or ISP DNS?
    >
    > Chris.


    I don't know enough about the OS on the web server...it is running IBM
    AIX but I have a test computer working in the DMZ and until I am able
    to resolve names with that one I don't want to change settings on the
    web server. Currently there are no DNS queries traversing the
    firewall...all the internal clients are on the inside interface and
    they query the local internal DNS servers which is what I want
    computers in the DMZ to do. Here is my configuration minus the
    unimportant stuff and Thanks for the help...



    PIX Version 6.3(3)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ1 security50

    access-list acl_out permit tcp any host <public.ip> eq www
    access-list acl_out permit tcp any host <public.ip> eq https
    access-list acl_out permit tcp any host <public.ip> eq smtp
    access-list acl_out permit icmp any any
    access-list acl_out permit tcp any interface outside
    access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3
    access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp
    access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp
    access-list dmz_out permit icmp any any
    access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100
    12109
    access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq https
    access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq http
    access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0

    access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0


    ip address outside <public.ip> 255.255.255.224
    ip address inside 1.141.1.99 255.0.0.0
    ip address DMZ1 10.0.0.1 255.255.255.0

    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 vpn_mobile 255.0.0.0 0 0
    nat (DMZ1) 1 0.0.0.0 0.0.0.0
    static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask
    255.255.255.255 0 0
    static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 IPO 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 444 email 444 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 4125 email 4125 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface https email https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pptp email pptp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface nntp email nntp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 email pop3 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp email smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface ftp email ftp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www email www netmask
    255.255.255.255 0 0
    static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0

    access-group acl_out in interface outside
    access-group dmz_out in interface DMZ1
    route outside 0.0.0.0 0.0.0.0 <outside_ip> 1
    dexteroc, Jan 10, 2007
    #3
  4. dexteroc

    chris Guest

    "dexteroc" <> wrote in message
    news:...
    >
    >>chris wrote:

    >
    >> Maybe posting the config will help. How is the web server configured for
    >> DNS
    >> resolution? Internal DNS or ISP DNS?
    >>
    >> Chris.

    >
    > I don't know enough about the OS on the web server...it is running IBM
    > AIX but I have a test computer working in the DMZ and until I am able
    > to resolve names with that one I don't want to change settings on the
    > web server. Currently there are no DNS queries traversing the
    > firewall...all the internal clients are on the inside interface and
    > they query the local internal DNS servers which is what I want
    > computers in the DMZ to do. Here is my configuration minus the
    > unimportant stuff and Thanks for the help...
    >


    access-list dmz_out permit icmp any any
    access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100
    12109
    access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq https
    access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq http


    So you are not allowing DNS out. Maybe that's the problem then? Note that if
    you want to allow DNS to your interal DNS server then you will have to set
    up NAT for that (dmz to inside) as well as adding the rule to the DMZ acl.
    If the web server is configured with external DNS servers then you will just
    have to add tcp/udp 53 to the rules.

    Chris.
    chris, Jan 10, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    821
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,860
    Walter Roberson
    Sep 25, 2005
  3. Jim Willsher
    Replies:
    23
    Views:
    14,705
    kjems
    Apr 23, 2008
  4. morten
    Replies:
    4
    Views:
    1,166
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    647
Loading...

Share This Page