Solved

Problem with cisco PIX 501 when using domain name to access port instead of IP

Posted on 2007-11-30
3
245 Views
Last Modified: 2012-05-05
Hi Experts!

I have a Pix 501 firewall wich is currently allowing access to my mail server on ports 25 and 110 using NAT and Static Routes. The IP that "ties" the firewall with the server is the IP configured in the outside interface of the router (200.100.100.100). The internal server's ip is 10.0.1.1.

What works:

1. I can PING the 200.100.100.100 ip addres from any outside network with no problem, I get replies.
2. The IP is mapped through DNS to name mail.myserver.com. I can PING mail.myserver.com and get a reply from the IP with no problem.
2. I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

What does not work:

1. If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.
2. Because of this, mail clients return errors and do not download or send mail.


Question: Why would connecting through the domain name takes so long even if I can ping the domain name getting decent reply times, and I can connect to the ports with the ip address real quickly?

I tried removing the fixup for port 25, but same thing happens.

thanks a lot!!
0
Comment
Question by:glopezz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20386631
You state that this works:

I can telnet 200.100.100.100 on ports 25 and 100 and I can connect with no problem.

and this doesn't:

If I try to telnet de domain instead of the IP, for example telnet mail.myserver.com 25   or telnet mail.myserver.com 110 it takes a LOT of time to connect, sometimes it times out.

The only difference between those two functions is DNS name resolution, which is being used in the one that doesn't work.  To verify that it is a DNS resolution issue, have you tried putting an entry for mail.myserver.com into an external client's local "hosts" file so that the name resolution occurs locally and then trying your telnet test to the FQDN?
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20386914
good idea batry boy. i was thinking it was the dns config also. run a traceroute to the domain name also and see where it goes. it will time each hop, so you can see where the delay is.

jim
0
 

Author Closing Comment

by:glopezz
ID: 31412066
Thanks Guys, it was a name resolution problem.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question