Solved

Problem with cisco PIX 501 when using domain name to access port instead of IP

Posted on 2007-11-30
3
240 Views
Last Modified: 2012-05-05
Hi Experts!

I have a Pix 501 firewall wich is currently allowing access to my mail server on ports 25 and 110 using NAT and Static Routes. The IP that "ties" the firewall with the server is the IP configured in the outside interface of the router (200.100.100.100). The internal server's ip is 10.0.1.1.

What works:

1. I can PING the 200.100.100.100 ip addres from any outside network with no problem, I get replies.
2. The IP is mapped through DNS to name mail.myserver.com. I can PING mail.myserver.com and get a reply from the IP with no problem.
2. I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

What does not work:

1. If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.
2. Because of this, mail clients return errors and do not download or send mail.


Question: Why would connecting through the domain name takes so long even if I can ping the domain name getting decent reply times, and I can connect to the ports with the ip address real quickly?

I tried removing the fixup for port 25, but same thing happens.

thanks a lot!!
0
Comment
Question by:glopezz
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20386631
You state that this works:

I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

and this doesn't:

If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.

The only difference between those two functions is DNS name resolution, which is being used in the one that doesn't work.  To verify that it is a DNS resolution issue, have you tried putting an entry for mail.myserver.com into an external client's local "hosts" file so that the name resolution occurs locally and then trying your telnet test to the FQDN?
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20386914
good idea batry boy. i was thinking it was the dns config also. run a traceroute to the domain name also and see where it goes. it will time each hop, so you can see where the delay is.

jim
0
 

Author Closing Comment

by:glopezz
ID: 31412066
Thanks Guys, it was a name resolution problem.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now