r270ba
asked on
DNS and Pix issue
I am having trouble resolving DNS now that I have our Pix 506e installed....
If I hard code the true DNS (not my dns server to fwd to the true dns addresses) into the "Use the following DNS address" then everything works. However when DHCP assigns the dns server 192.168.1.10 as the DNS (which would resolve the true DNS) then I get nothing.
Here is my ACL:
==========================
Result of firewall command: "show running-config"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ivL/lG89LSw2/TLx encrypted
passwd xxxxxx encrypted
hostname tristatepix
domain-name tristate.tsppumps.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.83.187.153 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e8968515ffb
==========================
Any help???
If I hard code the true DNS (not my dns server to fwd to the true dns addresses) into the "Use the following DNS address" then everything works. However when DHCP assigns the dns server 192.168.1.10 as the DNS (which would resolve the true DNS) then I get nothing.
Here is my ACL:
==========================
Result of firewall command: "show running-config"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ivL/lG89LSw2/TLx encrypted
passwd xxxxxx encrypted
hostname tristatepix
domain-name tristate.tsppumps.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.83.187.153 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e8968515ffb
==========================
Any help???
You do not have to open any ports on the PIX.
Your issue is most likely with your DNS server.
The PIX config looks fine.
Your issue is most likely with your DNS server.
The PIX config looks fine.
Do you have the proper default gateway setup on the DNS Server?
Can you ping a public nameserver from the internal DNS server?
Can you ping a public nameserver from the internal DNS server?
Your pix config is fine. If you are using Windows 2003, you may have to turn on the nofixup for dns or increase the size of fixup protocol dns maximum-length 512
. Windows 2003 has increased the size of the DNS packets and some sites stop resolving. Yahoo has the had the biggest problem.
. Windows 2003 has increased the size of the DNS packets and some sites stop resolving. Yahoo has the had the biggest problem.
ASKER
>Can you ping a public nameserver from the internal DNS server?
No I can't...am not sure why...everything has worked fine until I added the Pix....I can however ping the DNS Servers from the computer I am on now.
What could the problem be?
No I can't...am not sure why...everything has worked fine until I added the Pix....I can however ping the DNS Servers from the computer I am on now.
What could the problem be?
ASKER
From above....
192.168.1.10 (My DNS Server) = Cannot ping DNS
192.168.1.12 (Comptuer I am on now) = Can ping DNS fine.
192.168.1.10 (My DNS Server) = Cannot ping DNS
192.168.1.12 (Comptuer I am on now) = Can ping DNS fine.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Results:
==========================
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x10003 ...00 0f 1f 69 e9 0d ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 69 e9 0e ...... Broadcom NetXtreme Gigabit Ethernet #2
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.5 192.168.1.11 10
0.0.0.0 0.0.0.0 192.168.1.5 192.168.1.10 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 10
192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 10
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 10
192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 10
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 10
224.0.0.0 240.0.0.0 192.168.1.11 192.168.1.11 10
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
255.255.255.255 255.255.255.255 192.168.1.11 192.168.1.11 1
Default Gateway: 192.168.1.5
==========================
Persistent Routes:
None
==========================
==========================
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x10003 ...00 0f 1f 69 e9 0d ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 69 e9 0e ...... Broadcom NetXtreme Gigabit Ethernet #2
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.5 192.168.1.11 10
0.0.0.0 0.0.0.0 192.168.1.5 192.168.1.10 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 10
192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 10
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 10
192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 10
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 10
224.0.0.0 240.0.0.0 192.168.1.11 192.168.1.11 10
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
255.255.255.255 255.255.255.255 192.168.1.11 192.168.1.11 1
Default Gateway: 192.168.1.5
==========================
Persistent Routes:
None
==========================
ASKER
AH Ha!!!
I see that my default gateway is 192.168.1.5 and should be 1.1
That fixed it...
I will split the pts b/t lrmoore for the route print and snowsurfer for telling me to check the default gateway...the reason I didn't check it to begin with is b/c you said it would be in the route print....
Thanks a bunch guys!!!
I see that my default gateway is 192.168.1.5 and should be 1.1
That fixed it...
I will split the pts b/t lrmoore for the route print and snowsurfer for telling me to check the default gateway...the reason I didn't check it to begin with is b/c you said it would be in the route print....
Thanks a bunch guys!!!
Point forwarding for testing to 4.2.2.1 it is public White House DNS, also on PIX you will need to open port UDP 53 inbound/outbound.
I would not recommend using roothints they are not reliable those days.