Pix 501-Protect DNS Server

Discussion in 'Cisco' started by blinton25, Feb 3, 2008.

  1. blinton25


    Feb 3, 2008
    Likes Received:
    I have configured a Pix 501 to protect a DNS server using the following config. Clients should only be able to conduct Zone transfers and DNS, other than this I want to lock the server down.

    However, when I use http://www.kloth.net/services/nslookup.php to test the server, it responds

    "server can't find NXDOMAIN"

    Any comments on this config?


    PIX Version 6.3(5)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 5gL encrypted

    passwd 15f encrypted

    hostname myname

    domain-name mydomain.com

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69


    access-list alist permit tcp any host eq 7390

    access-list alist permit udp any host eq domain

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside

    ip address inside

    ip audit info action alarm

    ip audit attack action alarm

    pdm logging informational 100

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0 0

    static (inside,outside) tcp domain domain netmask 0 0

    static (inside,outside) udp domain domain netmask 0 0

    static (inside,outside) tcp domain domain netmask 0 0

    static (inside,outside) udp domain domain netmask 0 0

    static (inside,outside) netmask 0 0

    static (inside,outside) netmask 0 0

    access-group alist in interface outside

    route outside 1

    timeout xlate 0:05:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd address inside

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd auto_config outside

    dhcpd enable inside

    terminal width 80


    : end

    blinton25, Feb 3, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.