Pix Firewall Internal DNS
We have a PIX firewall and we want to use 1 DNS server. The DNS server is behind the firewall. When we do a DNS command, it returns the external IP address. We need it to give us the internal IP address so that we can access the server. If we try to access with the external IP address, it doesn't work. We have added the alias commands to the firewall but that doesnt' fix the problem because the request doesn't run through the firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm a bit lost. Could you explain this in more detail ? Also, a diagram and PIX config may help.
You don't need the alias command to get DNS to work ?
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
You don't need the alias command to get DNS to work ?
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
Tim, the way I understand it, its your normal setup, LAN-PIX-Internet. They then have NAT's on the PIX to the DNS & WWW servers that are on the LAN. As the DNS is serving the Internet, then a lookup for www.xyz.com will produce the REAL IP address of the server.
For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.
For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).
--------
Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.
For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).
--------
Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you still working on this? Do you need more information?
Can you close out this question?
Can you close out this question?
How's it going? Have you found a solution? Do you need more information?
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this long-forgotten question.
<-8}
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this long-forgotten question.
<-8}
ASKER