I have configured a Pix 501 to protect a DNS server using the following config. Clients should only be able to conduct Zone transfers and DNS, other than this I want to lock the server down. However, when I use http://www.kloth.net/services/nslookup.php to test the server, it responds "server can't find 7.1.1.207.in-addr.arpa: NXDOMAIN" Any comments on this config? ---------------------------------------------------------- PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 5gL encrypted passwd 15f encrypted hostname myname domain-name mydomain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list alist permit tcp any host 207.1.1.7 eq 7390 access-list alist permit udp any host 207.1.1.7 eq domain pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 207.1.1.5 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0 static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0 static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0 static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0 static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0 access-group alist in interface outside route outside 0.0.0.0 0.0.0.0 205.244.149.110 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:eee1111ggggggdd : end [OK]