Solved

Win2K DNS + PIX

Posted on 2004-09-29
10
235 Views
Last Modified: 2013-11-16
Could someone tell me what rules are required to allows DNS traffic through a PIX box?

I have to host 3 domains on a Win2K DNS server, but the PIX is currently blocking the requests.

Thanks!!
0
Comment
Question by:just1coder
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181374
You have to have two things:
1. static nat translation for either the IP or port 53 (UDP) that identifies the public IP and private ip of the server
2. An access-list (or conduit) permitting udp source "any" to public ip, port 53

If you can post your PIX config, I can give you the exact commands necessary.
0
 
LVL 2

Author Comment

by:just1coder
ID: 12181709
the internal ip is:
192.168.1.11

the external ip is: (let's say)
10.0.0.11

10.0.0.11 is NAT'd to 192.168.1.11

I currently have

access-list 100 permit udp any host 10.0.0.11 eq 53
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181774
OK. Can you post result of
"Show access-list" and include that line. Is there anything in the (hitcount) ?
Is the acl applied? Do you have a line like:
   access-group 100 in interface outside

What is the default gateway of your DNS server? Is it 192.168.1.1 - the inside interface of the PIX?
Are you secondary DNS or Primary DNS? Do you need to do zone transfers?
You might also need to permit TCP port 53 the same way.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Author Comment

by:just1coder
ID: 12181864
yes, I have: access-group 100 in interface outside

Inside interface of the pix is 192.168.1.1

Primary DNS, no zone transfers.

access-list 100 line 38 permit tcp any host 10.0.0.11 eq domain (hitcnt=0)
access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 12181972
>access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344) <== obviously being permitted in...
So what is not working?
What is default gateway of the DNS server? Paste result of C:\>route print
0
 
LVL 2

Author Comment

by:just1coder
ID: 12182354
The default GW of the DNS server is 192.168.1.1

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.40       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.40    192.168.1.40       1
     192.168.1.11  255.255.255.255        127.0.0.1       127.0.0.1       1
     192.168.1.40  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255     192.168.1.40    192.168.1.40       1
        224.0.0.0        224.0.0.0     192.168.1.40    192.168.1.40       1
  255.255.255.255  255.255.255.255     192.168.1.40    192.168.1.40       1
Default Gateway:       192.168.1.1

The DNS server fails on test querries.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12182378
>The DNS server fails on test querries.
Where is the testing PC physically in relation to the server? On the same internal LAN, but using the Public IP? It won't work.

Try going to http://www.dnsreport.com  and put in your domain name.

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184537
it's failing right on the server itself. when you go into the DNS snap in, right click the server name, hit properties, and then use the monitoring tab to run test querries ... it fails... I wasn't sure if the PIX was still blocking something...

I can telnet into the DNS server from any other location to port 53 using the hostname and the ip address ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184572
If it's failing at that point (mine says 'pass'), you might have to look deeper into the server logs...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;275525

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184598
Dah! Thought so :|
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question