Pix 501-Protect DNS Server

Discussion in 'Cisco' started by blinton25, Feb 3, 2008.

  1. blinton25

    blinton25

    Joined:
    Feb 3, 2008
    Messages:
    1
    Likes Received:
    0
    I have configured a Pix 501 to protect a DNS server using the following config. Clients should only be able to conduct Zone transfers and DNS, other than this I want to lock the server down.

    However, when I use http://www.kloth.net/services/nslookup.php to test the server, it responds

    "server can't find 7.1.1.207.in-addr.arpa: NXDOMAIN"

    Any comments on this config?


    ----------------------------------------------------------

    PIX Version 6.3(5)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 5gL encrypted

    passwd 15f encrypted

    hostname myname

    domain-name mydomain.com

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521



    fixup protocol tftp 69

    names

    access-list alist permit tcp any host 207.1.1.7 eq 7390

    access-list alist permit udp any host 207.1.1.7 eq domain

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside 207.1.1.5 255.255.255.248

    ip address inside 192.168.1.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    pdm logging informational 100

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

    static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

    static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

    static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

    static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0

    static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

    access-group alist in interface outside

    route outside 0.0.0.0 0.0.0.0 205.244.149.110 1



    timeout xlate 0:05:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd address 192.168.1.2-192.168.1.33 inside

    dhcpd lease 3600



    dhcpd ping_timeout 750

    dhcpd auto_config outside

    dhcpd enable inside

    terminal width 80

    Cryptochecksum:eee1111ggggggdd

    : end

    [OK]
     
    blinton25, Feb 3, 2008
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.