issues getting dns forwards through pix firewall
Posted on 2007-08-07
We have a pix 501 behind a cisco router and are trying to set up internal dns with forwarding for external requests.
The layout looks like this
INTERNET -> CIsco 1840 -> Pix 501 -> Switch -> Lan worstations
The DNS server is on the same subnet and switch as the workstations (192.168)
Im not sure if i need to configure anything specifically to pass DNS requests but if i configure a client directly with the ISP DNS server, it works fine. But when our internal DNS server tries to forward queries, it fails.
On the firewall log I see the following:
"106023: Deny udp src outside:126.96.36.199/53 dst inside:10.0.3.2/3448 by access-group "server_access" "
But i already have the access list of
PrivateFW# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
access-list server_access; 5 elements
access-list server_access line 1 permit tcp host 10.0.2.122 host 192.168.100.69 eq 3306 (hitcnt=0)
access-list server_access line 2 permit icmp any any (hitcnt=1195)
access-list server_access line 3 permit udp host 188.8.131.52 10.0.3.0 255.255.255.0 eq dnsix (hitcnt=0)
access-list server_access line 4 permit udp host 184.108.40.206 10.0.3.0 255.255.255.0 eq domain (hitcnt=0)
access-list server_access line 5 permit udp host 220.127.116.11 10.0.3.0 255.255.255.0 eq domain (hitcnt=0)