Solved

Pix Firewall Internal DNS

Posted on 2004-08-12
9
255 Views
Last Modified: 2013-11-16
We have a PIX firewall and we want to use 1 DNS server.  The DNS server is behind the firewall. When we do a DNS command, it returns the external IP address. We need it to give us the internal IP address so that we can access the server. If we try to access with the external IP address, it doesn't work. We have added the alias commands to the firewall but that doesnt' fix the problem because the request doesn't run through the firewall.
0
Comment
Question by:donald9
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
Comment Utility
You have a few options:

1. If you are using BIND v9, it supports a feature called "views". You can use this to provide alternate database for the same zone.

2. Implement split dns using two different servers (one for internal, another for external).

3. Create a special A record for internal use. Eg. you could create a host "www1" that is for internal use only and resolves to the internal address of the web server.

(I have assumed a web server, but it can be any type of server).

http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html
0
 
LVL 1

Author Comment

by:donald9
Comment Utility
Any ideas we can do that involve the DNS server built into windows 2000 (other than #3)?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
I'm a bit lost.  Could you explain this in more detail ?  Also, a diagram and PIX config may help.
You don't need the alias command to get DNS to work ?  
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 13

Expert Comment

by:td_miles
Comment Utility
Tim, the way I understand it, its your normal setup, LAN-PIX-Internet. They then have NAT's on the PIX to the DNS & WWW servers that are on the LAN. As the DNS is serving the Internet, then a lookup for www.xyz.com will produce the REAL IP address of the server.

For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.

For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).

--------

Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
Comment Utility
Thanks..  !

So.. to use the DNS server inside, the DHCP scope should point to the internal DNS server IP address, and a reverse lookup record should exist to resolve both external and internal DNS server addresses to the actual DNS server name.

Are we on the right track ?



0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now