Solved

Win2K DNS + PIX

Posted on 2004-09-29
10
236 Views
Last Modified: 2013-11-16
Could someone tell me what rules are required to allows DNS traffic through a PIX box?

I have to host 3 domains on a Win2K DNS server, but the PIX is currently blocking the requests.

Thanks!!
0
Comment
Question by:just1coder
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181374
You have to have two things:
1. static nat translation for either the IP or port 53 (UDP) that identifies the public IP and private ip of the server
2. An access-list (or conduit) permitting udp source "any" to public ip, port 53

If you can post your PIX config, I can give you the exact commands necessary.
0
 
LVL 2

Author Comment

by:just1coder
ID: 12181709
the internal ip is:
192.168.1.11

the external ip is: (let's say)
10.0.0.11

10.0.0.11 is NAT'd to 192.168.1.11

I currently have

access-list 100 permit udp any host 10.0.0.11 eq 53
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12181774
OK. Can you post result of
"Show access-list" and include that line. Is there anything in the (hitcount) ?
Is the acl applied? Do you have a line like:
   access-group 100 in interface outside

What is the default gateway of your DNS server? Is it 192.168.1.1 - the inside interface of the PIX?
Are you secondary DNS or Primary DNS? Do you need to do zone transfers?
You might also need to permit TCP port 53 the same way.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 2

Author Comment

by:just1coder
ID: 12181864
yes, I have: access-group 100 in interface outside

Inside interface of the pix is 192.168.1.1

Primary DNS, no zone transfers.

access-list 100 line 38 permit tcp any host 10.0.0.11 eq domain (hitcnt=0)
access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 12181972
>access-list 100 line 39 permit udp any host 10.0.0.11 eq domain (hitcnt=344) <== obviously being permitted in...
So what is not working?
What is default gateway of the DNS server? Paste result of C:\>route print
0
 
LVL 2

Author Comment

by:just1coder
ID: 12182354
The default GW of the DNS server is 192.168.1.1

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.40       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.40    192.168.1.40       1
     192.168.1.11  255.255.255.255        127.0.0.1       127.0.0.1       1
     192.168.1.40  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.1.255  255.255.255.255     192.168.1.40    192.168.1.40       1
        224.0.0.0        224.0.0.0     192.168.1.40    192.168.1.40       1
  255.255.255.255  255.255.255.255     192.168.1.40    192.168.1.40       1
Default Gateway:       192.168.1.1

The DNS server fails on test querries.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12182378
>The DNS server fails on test querries.
Where is the testing PC physically in relation to the server? On the same internal LAN, but using the Public IP? It won't work.

Try going to http://www.dnsreport.com  and put in your domain name.

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184537
it's failing right on the server itself. when you go into the DNS snap in, right click the server name, hit properties, and then use the monitoring tab to run test querries ... it fails... I wasn't sure if the PIX was still blocking something...

I can telnet into the DNS server from any other location to port 53 using the hostname and the ip address ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184572
If it's failing at that point (mine says 'pass'), you might have to look deeper into the server logs...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;275525

0
 
LVL 2

Author Comment

by:just1coder
ID: 12184598
Dah! Thought so :|
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question