Solved

Problem with cisco PIX 501 when using domain name to access port instead of IP

Posted on 2007-11-30
3
246 Views
Last Modified: 2012-05-05
Hi Experts!

I have a Pix 501 firewall wich is currently allowing access to my mail server on ports 25 and 110 using NAT and Static Routes. The IP that "ties" the firewall with the server is the IP configured in the outside interface of the router (200.100.100.100). The internal server's ip is 10.0.1.1.

What works:

1. I can PING the 200.100.100.100 ip addres from any outside network with no problem, I get replies.
2. The IP is mapped through DNS to name mail.myserver.com. I can PING mail.myserver.com and get a reply from the IP with no problem.
2. I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

What does not work:

1. If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.
2. Because of this, mail clients return errors and do not download or send mail.


Question: Why would connecting through the domain name takes so long even if I can ping the domain name getting decent reply times, and I can connect to the ports with the ip address real quickly?

I tried removing the fixup for port 25, but same thing happens.

thanks a lot!!
0
Comment
Question by:glopezz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20386631
You state that this works:

I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

and this doesn't:

If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.

The only difference between those two functions is DNS name resolution, which is being used in the one that doesn't work.  To verify that it is a DNS resolution issue, have you tried putting an entry for mail.myserver.com into an external client's local "hosts" file so that the name resolution occurs locally and then trying your telnet test to the FQDN?
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20386914
good idea batry boy. i was thinking it was the dns config also. run a traceroute to the domain name also and see where it goes. it will time each hop, so you can see where the delay is.

jim
0
 

Author Closing Comment

by:glopezz
ID: 31412066
Thanks Guys, it was a name resolution problem.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question