Solved

Pix Firewall Internal DNS

Posted on 2004-08-12
9
256 Views
Last Modified: 2013-11-16
We have a PIX firewall and we want to use 1 DNS server.  The DNS server is behind the firewall. When we do a DNS command, it returns the external IP address. We need it to give us the internal IP address so that we can access the server. If we try to access with the external IP address, it doesn't work. We have added the alias commands to the firewall but that doesnt' fix the problem because the request doesn't run through the firewall.
0
Comment
Question by:donald9
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 11789250
You have a few options:

1. If you are using BIND v9, it supports a feature called "views". You can use this to provide alternate database for the same zone.

2. Implement split dns using two different servers (one for internal, another for external).

3. Create a special A record for internal use. Eg. you could create a host "www1" that is for internal use only and resolves to the internal address of the web server.

(I have assumed a web server, but it can be any type of server).

http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html
0
 
LVL 1

Author Comment

by:donald9
ID: 11795663
Any ideas we can do that involve the DNS server built into windows 2000 (other than #3)?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11800806
I'm a bit lost.  Could you explain this in more detail ?  Also, a diagram and PIX config may help.
You don't need the alias command to get DNS to work ?  
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 13

Expert Comment

by:td_miles
ID: 11805708
Tim, the way I understand it, its your normal setup, LAN-PIX-Internet. They then have NAT's on the PIX to the DNS & WWW servers that are on the LAN. As the DNS is serving the Internet, then a lookup for www.xyz.com will produce the REAL IP address of the server.

For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.

For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).

--------

Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 11808897
Thanks..  !

So.. to use the DNS server inside, the DHCP scope should point to the internal DNS server IP address, and a reverse lookup record should exist to resolve both external and internal DNS server addresses to the actual DNS server name.

Are we on the right track ?



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092772
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703122
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multicast on 3750x cisco router 1 37
Line cards, Supervisor, Control plane 7 33
Firmware for ISR4321 Router 6 47
Cisco ASA and Watchguard firewall 2 36
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now