Solved

DNS to DMZ

Posted on 2007-03-30
7
577 Views
Last Modified: 2012-06-27
I have a a problem getting DNS resolution to and from a web app in my DMZ.  I have the access rules set in my firewall to allow DNS, but i can only get to the app by using the internal ip address for the server.  I have created host files on my LAN's DNS server, but it still does not resolve unless I edit my local host.
0
Comment
Question by:ioglyphics
  • 3
  • 3
7 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18826684
        *Did you set fixup protocols for dns?
0
 

Author Comment

by:ioglyphics
ID: 18826786
No am certain I didn't because I don't know what that is.  The guy prior to me did a lot of what is set on our Cisco PIX.  I have been trouble shooting this for over a week now and I am nearly in tears.  I am simple trying to facilitate a DMZ (which is set up) that will allow for

1.access to a staging server that our clients could get to our beta version of  a web app, and allow us to get to inside our LAN, by the url and not the internal IP that has (or now maybe had)  

2. ftp

3.front end Exchange server with OWA

I have posted my config here for you to look at.


PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 retries 3
 timeout 3
 name-server 64.105.199.74
 name-server 64.105.159.250
 name-server 192.168.1.101
 domain-name dms.local
object-group service dns tcp
 port-object eq domain
object-group service deltek tcp
 description deltek frontend
 port-object eq 7001
 port-object eq 1433
 port-object eq www
object-group service TE tcp-udp
 description Deltek Frontend
 port-object eq 7001
object-group network LAN
 network-object 192.168.1.0 255.255.255.0
object-group network DMZ
 network-object host 192.168.2.42
 network-object host 192.168.2.52
 network-object host 67.103.180.198
 network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981d83301200ea24993546a3

NAT policies on Interface inside:
  match ip inside host 192.168.1.101 outside any
    static translation to 67.103.180.197
    translate_hits = 46190, untranslate_hits = 29608
  match ip inside 192.168.1.0 255.255.255.0 DMZ any
    static translation to 192.168.1.0
    translate_hits = 53, untranslate_hits = 1662
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (67.103.180.195)
    translate_hits = 355033, untranslate_hits = 21678
  match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 DMZ any
    dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
    translate_hits = 1767, untranslate_hits = 11

NAT policies on Interface DMZ:
  match ip DMZ host 192.168.2.42 outside any
    static translation to 67.103.180.198
    translate_hits = 4836, untranslate_hits = 22524
  match ip DMZ host 192.168.2.52 outside any
    static translation to 67.103.180.199
    translate_hits = 0, untranslate_hits = 475
  match ip DMZ 192.168.2.0 255.255.255.0 outside any
    dynamic translation to pool 2 (67.103.180.196)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 300 total points
ID: 18826851
       You already have it with following

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

       
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18826860
             *What happens when you run nslookup in a machine in DMZ?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
ID: 18827154
I think that what this asker is after is that the internal DNS resolves the URL to the public IP addresses of the DMZ servers, and not the private IP addresses. This will never work without the DNS servers living outside the firewall so the FW can do a dns rewrite. Since the DNS servers are inside the firewall, they should resolve the URL to the private IP address.
0
 

Author Comment

by:ioglyphics
ID: 18827523
lrmoore,

Well actually there is no DNS server in the DMZ.  The DNS server is behind the firewall on the LAN.  Unless I am misunderstanding you, without a DNS server in the DMZ, the url will not resolve to the private ip address.  We can get to the site from outside our LAN, so that isn't the problem.  Let me know if I understand what you are saying so that I can stop trying to achieve something that can't work.  It isn't really a problem for internal users to use the private IP address to access sites in our DMZ, I just want to make sure there is no other way to make this work.  Not that I need to, but suppose I wanted to get to OWA, from within my LAN.  Since this sits in the DMZ does that mean I will have to use the private IP in the url to get to it?
0
 

Author Comment

by:ioglyphics
ID: 18827572
Thanks guys, but I think the answer to my question is below.  I posted this up with a bit of a differant question to address all my requirements.  Had I given you guys more info I suppose you would have come up with the right answers as well.  Thanks anyway, but my answer is below.
******************************************************************************************************

Several issues here...

>global (DMZ) 1 interface
>static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

The global statement is not necessary with the static. Suggest removing the global and keep the static.

>object-group network DMZ
This group should only contain the two 192.168.1.x addresses and not the public IP's. Suggest 2 groups:

object-group network DMZ
 network-object host 192.168.2.42
 network-object host 192.168.2.52
object-group network DMZ_public
 network-object host 67.103.180.198
 network-object host 67.103.180.199

>access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
The source port will not be 25, but the destination wll be 25. Source port is random >1024. Don't you want to send email to only one mail server inside?
Suggest:
 access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq smtp

>access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
Same issue with this and other acl entries. The source port will not be the same as the destination port.
Correct entry does not specify source port.
  access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp

Here's my suggested DMZ Acl:
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN eq ftp-data
access-list DMZ_access_in extended permit tcp object-group DMZ host 192.168.1.101 eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ object-group LAN object-group deltek
access-list DMZ_access_in deny ip object-group DMZ object-group LAN
access-list DMZ_access_in extended permit tcp object-group DMZ eq www any
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp any
access-list DMZ_access_in extended permit tcp object-group DMZ eq https any
access-list DMZ_access_in extended permit tcp object-group DMZ eq ssh any


>access-list inside_access_in extended permit ip any any
>access-group inside_access_in in interface inside
This acl is redundant to the default allow all and should be removed from the inside interface. Only apply an acl to the inside interface to restrict traffic outbound.

> and allow us to get to inside our LAN, by the url and not the internal IP that has
This is the hard part. The ONLY way you can access internal hosts by their public URL that resolves to their public IP address is through DNS re-write. This means that the DNS server the clients use lives outside the firewall, and the firewall intercepts the dns responses and re-writes them to actually give the client the real private IP address. Since your DNS servers live inside the firewall, you must have an internal-only dns server that resolves the url to the private IP address, and a public dns server that resolves the url to the public IP addresses.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Resolve DNS query failed errors for Exchange
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now