Solved

Pix Firewall Internal DNS

Posted on 2004-08-12
9
259 Views
Last Modified: 2013-11-16
We have a PIX firewall and we want to use 1 DNS server.  The DNS server is behind the firewall. When we do a DNS command, it returns the external IP address. We need it to give us the internal IP address so that we can access the server. If we try to access with the external IP address, it doesn't work. We have added the alias commands to the firewall but that doesnt' fix the problem because the request doesn't run through the firewall.
0
Comment
Question by:donald9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 11789250
You have a few options:

1. If you are using BIND v9, it supports a feature called "views". You can use this to provide alternate database for the same zone.

2. Implement split dns using two different servers (one for internal, another for external).

3. Create a special A record for internal use. Eg. you could create a host "www1" that is for internal use only and resolves to the internal address of the web server.

(I have assumed a web server, but it can be any type of server).

http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html
0
 
LVL 1

Author Comment

by:donald9
ID: 11795663
Any ideas we can do that involve the DNS server built into windows 2000 (other than #3)?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11800806
I'm a bit lost.  Could you explain this in more detail ?  Also, a diagram and PIX config may help.
You don't need the alias command to get DNS to work ?  
Usually, you would configure the W2K DNS server as your primary DNS, and then set this up to look up DNS records on other servers in the world as and when necessary.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 13

Expert Comment

by:td_miles
ID: 11805708
Tim, the way I understand it, its your normal setup, LAN-PIX-Internet. They then have NAT's on the PIX to the DNS & WWW servers that are on the LAN. As the DNS is serving the Internet, then a lookup for www.xyz.com will produce the REAL IP address of the server.

For ppl outside, this is fine and everything works as expected, they lookup www.xyz.com, gets its public IP address, then connect to that IP address. The traffic hits the PIX, get's NAT'ed, goes to the webserver on the LAN. All is well.

For ppl inside, they connect to the DNS server using it's private IP address, look www.xyz.com and still get it's PUBLIC IP address (it is the same DNS server, giving the same results). They then try to connect to the public IP address of www.xyz.com. Their PC correctly determines that it is a non-local IP address and sends the traffic to the default gateway (the PIX). The traffic gets to the PIX, where it stops, as the the traffic needs to be NAT'ed outbound, then NAT'ed back inbound (to get to the webserver) on the same outside interface of the PIX (which we all know DOESN'T work).

--------

Donald, obviously correct me if I'm wrong with my explanation of what I see the problem as being. No, there is no way that I know of to do this in win2k (there could be, just none that I know of).
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 250 total points
ID: 11808897
Thanks..  !

So.. to use the DNS server inside, the DHCP scope should point to the internal DNS server IP address, and a reverse lookup record should exist to resolve both external and internal DNS server addresses to the actual DNS server name.

Are we on the right track ?



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092772
Are you still working on this? Do you need more information?
Can you close out this question?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703122
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VOIP gateways - feedback 23 116
NTP configuration on Cisco switch 3 39
WLC and radius 4 42
Windows ADHow to restrict port 6881 bit Torrent 3 40
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question