DNS and Pix issue

I am having trouble resolving DNS now that I have our Pix 506e installed....

If I hard code the true DNS (not my dns server to fwd to the true dns addresses) into the "Use the following DNS address" then everything works.  However when DHCP assigns the dns server 192.168.1.10 as the DNS (which would resolve the true DNS) then I get nothing.

Here is my ACL:
====================================================================

Result of firewall command: "show running-config"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ivL/lG89LSw2/TLx encrypted
passwd xxxxxx encrypted
hostname tristatepix
domain-name tristate.tsppumps.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.83.187.153 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e8968515ffb2c158eb8c0b24b91b1fd8
=====================================================================

Any help???
r270baAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
snowsurferConnect With a Mentor Commented:
Your next post will show this, but what is the default gateway on your server?  Is it different than your pc
0
 
Sebo2000Commented:
Did you set up forwarding on the DNS 192.168.1.10?
Point forwarding for testing to 4.2.2.1 it is public White House DNS, also on PIX you will need to open port UDP 53 inbound/outbound.
I would not recommend using roothints they are not reliable those days.
0
 
lrmooreCommented:
You do not have to open any ports on the PIX.
Your issue is most likely with your DNS server.
The PIX config looks fine.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
lrmooreCommented:
Do you have the proper default gateway setup on the DNS Server?
Can you ping a public nameserver from the internal DNS server?
0
 
snowsurferCommented:
Your pix config is fine.  If you are using Windows 2003, you may have to turn on the nofixup for dns or increase the size of fixup protocol dns maximum-length 512
.  Windows 2003 has increased the size of the DNS packets and some sites stop resolving.  Yahoo has the had the biggest problem.
0
 
r270baAuthor Commented:
>Can you ping a public nameserver from the internal DNS server?

No I can't...am not sure why...everything has worked fine until I added the Pix....I can however ping the DNS Servers from the computer I am on now.

What could the problem be?
0
 
r270baAuthor Commented:
From above....

192.168.1.10 (My DNS Server) = Cannot ping DNS

192.168.1.12 (Comptuer I am on now) = Can ping DNS fine.
0
 
lrmooreConnect With a Mentor Commented:
Post result of "c:\>route print" from your dns server's dos prompt..
0
 
r270baAuthor Commented:
Results:
==============================================================

IPv4 Route Table
==============================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 1f 69 e9 0d ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 69 e9 0e ...... Broadcom NetXtreme Gigabit Ethernet #2
==============================================================
==============================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.5     192.168.1.11     10
          0.0.0.0          0.0.0.0      192.168.1.5     192.168.1.10     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0     192.168.1.10     192.168.1.10     10
      192.168.1.0    255.255.255.0     192.168.1.11     192.168.1.11     10
     192.168.1.10  255.255.255.255        127.0.0.1        127.0.0.1     10
     192.168.1.11  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.255  255.255.255.255     192.168.1.10     192.168.1.10     10
    192.168.1.255  255.255.255.255     192.168.1.11     192.168.1.11     10
        224.0.0.0        240.0.0.0     192.168.1.10     192.168.1.10     10
        224.0.0.0        240.0.0.0     192.168.1.11     192.168.1.11     10
  255.255.255.255  255.255.255.255     192.168.1.10     192.168.1.10      1
  255.255.255.255  255.255.255.255     192.168.1.11     192.168.1.11      1
Default Gateway:       192.168.1.5
===============================================================
Persistent Routes:
  None
===============================================================
0
 
r270baAuthor Commented:
AH Ha!!!  

I see that my default gateway is 192.168.1.5 and should be 1.1

That fixed it...

I will split the pts b/t lrmoore for the route print and snowsurfer for telling me to check the default gateway...the reason I didn't check it to begin with is b/c you said it would be in the route print....

Thanks a bunch guys!!!
0
All Courses

From novice to tech pro — start learning today.