Solved

DNS and Pix issue

Posted on 2004-10-18
10
438 Views
Last Modified: 2008-02-01
I am having trouble resolving DNS now that I have our Pix 506e installed....

If I hard code the true DNS (not my dns server to fwd to the true dns addresses) into the "Use the following DNS address" then everything works.  However when DHCP assigns the dns server 192.168.1.10 as the DNS (which would resolve the true DNS) then I get nothing.

Here is my ACL:
====================================================================

Result of firewall command: "show running-config"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ivL/lG89LSw2/TLx encrypted
passwd xxxxxx encrypted
hostname tristatepix
domain-name tristate.tsppumps.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.x255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.83.187.153 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e8968515ffb2c158eb8c0b24b91b1fd8
=====================================================================

Any help???
0
Comment
Question by:r270ba
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:Sebo2000
ID: 12344273
Did you set up forwarding on the DNS 192.168.1.10?
Point forwarding for testing to 4.2.2.1 it is public White House DNS, also on PIX you will need to open port UDP 53 inbound/outbound.
I would not recommend using roothints they are not reliable those days.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12344511
You do not have to open any ports on the PIX.
Your issue is most likely with your DNS server.
The PIX config looks fine.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12344516
Do you have the proper default gateway setup on the DNS Server?
Can you ping a public nameserver from the internal DNS server?
0
 
LVL 5

Expert Comment

by:snowsurfer
ID: 12344952
Your pix config is fine.  If you are using Windows 2003, you may have to turn on the nofixup for dns or increase the size of fixup protocol dns maximum-length 512
.  Windows 2003 has increased the size of the DNS packets and some sites stop resolving.  Yahoo has the had the biggest problem.
0
 

Author Comment

by:r270ba
ID: 12349313
>Can you ping a public nameserver from the internal DNS server?

No I can't...am not sure why...everything has worked fine until I added the Pix....I can however ping the DNS Servers from the computer I am on now.

What could the problem be?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:r270ba
ID: 12349346
From above....

192.168.1.10 (My DNS Server) = Cannot ping DNS

192.168.1.12 (Comptuer I am on now) = Can ping DNS fine.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 12349407
Post result of "c:\>route print" from your dns server's dos prompt..
0
 
LVL 5

Accepted Solution

by:
snowsurfer earned 250 total points
ID: 12349427
Your next post will show this, but what is the default gateway on your server?  Is it different than your pc
0
 

Author Comment

by:r270ba
ID: 12350755
Results:
==============================================================

IPv4 Route Table
==============================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 1f 69 e9 0d ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 69 e9 0e ...... Broadcom NetXtreme Gigabit Ethernet #2
==============================================================
==============================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.5     192.168.1.11     10
          0.0.0.0          0.0.0.0      192.168.1.5     192.168.1.10     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0     192.168.1.10     192.168.1.10     10
      192.168.1.0    255.255.255.0     192.168.1.11     192.168.1.11     10
     192.168.1.10  255.255.255.255        127.0.0.1        127.0.0.1     10
     192.168.1.11  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.255  255.255.255.255     192.168.1.10     192.168.1.10     10
    192.168.1.255  255.255.255.255     192.168.1.11     192.168.1.11     10
        224.0.0.0        240.0.0.0     192.168.1.10     192.168.1.10     10
        224.0.0.0        240.0.0.0     192.168.1.11     192.168.1.11     10
  255.255.255.255  255.255.255.255     192.168.1.10     192.168.1.10      1
  255.255.255.255  255.255.255.255     192.168.1.11     192.168.1.11      1
Default Gateway:       192.168.1.5
===============================================================
Persistent Routes:
  None
===============================================================
0
 

Author Comment

by:r270ba
ID: 12350821
AH Ha!!!  

I see that my default gateway is 192.168.1.5 and should be 1.1

That fixed it...

I will split the pts b/t lrmoore for the route print and snowsurfer for telling me to check the default gateway...the reason I didn't check it to begin with is b/c you said it would be in the route print....

Thanks a bunch guys!!!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now