?
Solved

DNS/Firewall Issue

Posted on 2007-10-01
19
Medium Priority
?
340 Views
Last Modified: 2010-04-09
Everyone,

I have an issue getting my DNS servers to register.  I recently purchased a domain name through godaddy.com.  I have a network setup using the new domain name.  However, when I try to get godaddy.com to recognize my DNS servers, it gives an error and immediately returns to the default setting which is wrong.  Could this be an issue with the firewall or is my DNS setup incorrectly?  Also, if anyone knows what is wrong, what steps do I take to remedy the problem.
0
Comment
Question by:crowebr
  • 6
  • 6
  • 5
  • +1
19 Comments
 
LVL 13

Assisted Solution

by:bluetab
bluetab earned 300 total points
ID: 19991477
What is the error that GoDaddy is giving you?  Did you configure your PIX to forward the DNS ports to your internal DNS servers?
0
 

Author Comment

by:crowebr
ID: 19991503
GoDaddy just returns "Errors were detected."  How would you configure the PIX to foward DNS ports?
0
 

Author Comment

by:crowebr
ID: 19991612
Oh, it is a PIX 501 with version 6.3.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 13

Expert Comment

by:bluetab
ID: 19991625
You would need to forward port 53 (UDP and TCP) to your DNS server.  I don't know how to configure the PIX to do this.  But why do you want to use your DNS server as opposed to GoDaddy's?  Hosting your own DNS server is a lot of work with a lot of security issues.  Usually the best thing to do is to use GoDaddy's DNS server and configure it with the proper A and MX records.
0
 

Author Comment

by:crowebr
ID: 19991820
Because thats the way my boss wants to do it.  Unfortunately for me, my boss is better with SQL and scripting or programming than he is with normal windows operations.  He also has no experience with firewalls and mine is limited to Sidewinder firewalls.  So of course all these problems get dumped to me.  Which is why I asked if anyone knows the procedures for doing this.  I am using the PDM and I think you can set the port forwarding up in the Access rules area but I am not for sure.  So I don't want to just start changing firewall settings unless I know what I am doing.  
0
 
LVL 36

Accepted Solution

by:
grblades earned 600 total points
ID: 19991895
I am not familiar with the PDM but if you post your configuration I can check it and give you the commands you need to enter to fix any misconfiguration.
Just remember to remove any passwords shown.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 600 total points
ID: 19991909
0
 

Author Comment

by:crowebr
ID: 19991948
Here you go.

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname PixFW
domain-name cisco.com
clock timezone CST -6
clock summer-time CST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.252.60.220 Charger
name 10.252.60.221 S2000
object-group icmp-type ICMP-ALLOWED
  icmp-object echo-reply
  icmp-object time-exceeded
  icmp-object traceroute
object-group network Fowlerholding.com1
  network-object Charger 255.255.255.255
  network-object S2000 255.255.255.255
access-list outside permit tcp any host 66.210.26.219 eq www
access-list outside permit tcp any host 66.210.26.219 eq https
access-list outside permit tcp any host 66.210.26.218 eq smtp
access-list outside permit tcp any host 66.210.26.218 eq pop3
access-list outside permit tcp any host 66.210.26.218 eq www
access-list outside permit tcp any host 66.210.26.218 eq https
access-list outside permit tcp any host 66.210.26.218 eq 3389
access-list outside permit icmp any any object-group ICMP-ALLOWED
access-list outside deny ip any any
access-list outside permit tcp any host 66.210.26.219 eq domain
access-list outside permit tcp any host 66.210.26.218 eq domain
access-list outside permit udp any host 66.210.26.218 eq domain
access-list 101 permit tcp any interface outside eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.210.26.218 255.255.255.248
ip address inside 10.252.60.144 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.252.60.126 255.255.255.255 inside
pdm location 10.252.60.161 255.255.255.255 inside
pdm location 10.252.60.222 255.255.255.255 inside
pdm location 69.8.11.207 255.255.255.255 outside
pdm location Charger 255.255.255.255 inside
pdm location S2000 255.255.255.255 inside
pdm group Fowlerholding.com1 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.252.60.0 255.255.255.0 0 0
static (inside,outside) tcp 66.210.26.219 https 10.252.60.222 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.210.26.218 smtp 10.252.60.222 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.210.26.218 pop3 10.252.60.222 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.210.26.218 https 10.252.60.126 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.210.26.218 3389 10.252.60.161 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.210.26.219 www 10.252.60.222 www netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.210.26.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.29 source outside
http server enable
http 10.252.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community aasfdafsd
no snmp-server enable traps
floodguard enable
telnet 10.252.60.0 255.255.255.0 inside
telnet timeout 60
ssh 69.8.11.207 255.255.255.255 outside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:2ee74f4d0822e206aedbd4536e6ab67a
: end
[OK]

That is the configuration.  Now, this configuration is for a different domain on the same network.  Basically what we are trying to do is completely standup this new domain before we transfer everything over.  So the new DNS servers are 10.252.60.220 and 10.252.60.221.  
0
 

Author Comment

by:crowebr
ID: 19991955
Please keep in mind, I did not set this up.  This was done a long time before I started working here.
0
 
LVL 36

Expert Comment

by:grblades
ID: 19991993
I can see you are missing the 'static' commands required.

What external IP addresses do you wish to use to access the two internal dns servers?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19992008
Hang fire you DONT need port forwarding you have static IP addresses....

0
 
LVL 36

Expert Comment

by:grblades
ID: 19992024
Well port forwarding is ok if you want to concerve ip addresses etc...
But for your DNS servers I would suggest you perform NAT between two IP addresses and not on a port by port basis.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19992029
as far as I can see you only need to add

access-list outside permit udp any host 66.210.26.219 eq domain
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 19992041
And remove this

access-list outside deny ip any any


with

no access-list outside deny ip any any


The deny is above the allows :)
0
 
LVL 36

Expert Comment

by:grblades
ID: 19992047
Something like this should be all thats required. DNS server on 10.252.60.220 will be accessible on the internet as 66.210.26.220 etc...

access-list outside permit udp any host 66.210.26.220 eq domain
access-list outside permit udp any host 66.210.26.221 eq domain
static (inside,outside) 66.210.26.220 10.252.60.220 netmask 255.255.255.255 0 0
static (inside,outside) 66.210.26.221 10.252.60.221 netmask 255.255.255.255 0 0
0
 

Author Comment

by:crowebr
ID: 19993822
Where did you guys learn this stuff?  I have to tell you I feel completely lost at this point.
0
 
LVL 36

Expert Comment

by:grblades
ID: 19996840
I tend to learn by playing with the device and looking at the configuration examples and then reading up on any of the commands I dont understand. A good place for examples is :-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20000225
Agreed  - Break loads of things and you learn to fix them quickly :)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20038945
ThanQ
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question