Zone Transfers/DNS-Is Pix Configured to allow these?

I have configured a Pix 501 to protect a DNS server using the following config. Clients should only be able to conduct Zone transfers and DNS, other than this  I want to lock the server down.

However, when I use http://www.kloth.net/services/nslookup.php to test the server, it responds

"server can't find 7.1.1.207.in-addr.arpa: NXDOMAIN"

Any comments on this config?


----------------------------------------------------------

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 5gL encrypted

passwd 15f encrypted

hostname myname

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


             
fixup protocol tftp 69

names

access-list alist permit tcp any host 207.1.1.7 eq 7390

access-list alist permit udp any host 207.1.1.7 eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 207.1.1.5 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

access-group alist in interface outside

route outside 0.0.0.0 0.0.0.0 205.244.149.110 1


             
timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600


             
dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:eee1111ggggggdd

: end

[OK]
blinton25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
fixup protocol dns maximum-length 512
You may need to increase the max length

The error message refers to PTR records in your in-addr.arpa reverse zone. Is it set up correctly to math the forward zones?
0
blinton25Author Commented:
Thanks for the suggestion.

1. Recommened increase in size?

2. I will have to contact my ISP to have them create/modify the DNS reverse entries.

0
lrmooreCommented:
Increase to 768 or 1024

>static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
>static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0
You should do one or the other, not both...
Suggest:

no static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
clear xlate
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

blinton25Author Commented:
Hello,

Thanks for the suggestions.

I got the PTR record setup by the ISP. Now when I query using http://www.kloth.net/services/dig.php I receive a


 ; <<>> DiG 9.3.2 <<>> @207.1.1.7  testdomain.cad ANY
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25541
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;testdomain.cad.            IN      ANY
 
 ;; Query time: 193 msec
 ;; SERVER: 207.1.1.7 #53(207.1.1.7)
 ;; WHEN: Thu Feb  7 19:57:04 2008
 ;; MSG SIZE  rcvd: 33



However if I query on the server the correct information is returned.

My named.conf looks like this:

//
// named.conf for Red Hat caching-nameserver
//

options {
      directory "/var/named";
      dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
      version "unknown";
      /*
       * If there is a firewall between you and nameservers you want
       * to talk to, you might need to uncomment the query-source
       * directive below.  Previous versions of BIND always asked
       * questions using port 53, but BIND 8.1 uses an unprivileged
       * port by default.
       */
       // query-source address * port 53;
      allow-recursion {192.168.3.0/24;};
};

//
// a caching only nameserver config
//
controls {
      inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
      type hint;
      file "named.ca";
};

zone "localdomain" IN {
      type master;
      file "localdomain.zone";
      allow-update { none; };
};

zone "localhost" IN {
      type master;
      file "localhost.zone";
      allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
      type master;
      file "named.local";
      allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
      file "named.ip6.local";
      allow-update { none; };
};

zone "255.in-addr.arpa" IN {
      type master;
      file "named.broadcast";
      allow-update { none; };
};

zone "0.in-addr.arpa" IN {
      type master;
      file "named.zero";
      allow-update { none; };
};

include "/etc/rndc.key";

zone "cad" {
      type slave;
      file "slaves/cad.zon";
      masters { 192.168.1.3;};
      };

zone "co.cad" {
        type slave;
        file "slaves/co.cad.zon";
        masters { 192.168.1.3;};
        };

zone "org.cad" {
        type slave;
        file "slaves/org.cad.zon";
        masters { 192.168.1.3;};
        };

zone "gov.cad" {
        type slave;
        file "slaves/gov.cad.zon";
        masters { 192.168.1.3;};
        };

zone "net.cad" {
        type slave;
        file "slaves/net.bb.zon";
        masters { 192.168.1.3;};
        };

zone "biz.bb" {
        type slave;
        file "slaves/biz.cad.zon";
        masters { 192.168.1.3;};
        };

zone "com.cad" {
        type slave;
        file "slaves/com.cad.zon";
        masters { 192.168.1.3;};
        };

zone "testdomain.com.cad" {
        type slave;
        file "slaves/testdomain.com.cad.zon";
        masters { 192.168.1.3;};
        };
0
blinton25Author Commented:
Hello,

lrmoore, can you clarify:

>static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
>static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0


no static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

Are you saying that I should remove my statics references? If so could you clarify why?
0
blinton25Author Commented:
Hello,
When I remove the firewall my DNS server responds ok.

I have observed the following behaviour when trying to open port 53 (TCp/UDP). Someone told me that they had heard this was a bug in the Pix, can anyone confirm?

access-list alist permit tcp any host 207.1.1.7 eq 53
access-list alist permit udp any host 207.1.1.7 eq 53

In both of the above cases, I receive an error:
ACE not added, possible duplicate entry.

My config looks like this:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 4P4Lpmgzv5cZL7lu encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PC1

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

<--- More --->
             
fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit tcp any host 207.1.1.7 eq domain log

access-list 101 permit udp any host 207.1.1.7 eq domain log

access-list 101 permit tcp any host 207.1.1.7 eq www log

access-list 101 permit icmp any any echo-reply log

access-list 101 permit icmp any any echo log

access-list alist permit tcp any host 207.1.1.7 eq 7390

access-list alist permit tcp any host 207.1.1.8 eq 7390

access-list alist permit udp any host 207.1.1.7 eq domain

access-list alist permit udp any host 207.1.1.8 eq domain

access-list alist permit tcp any host 207.1.1.7 eq domain

access-list alist2 permit tcp any host 207.1.1.8 eq 7390

access-list alist2 permit tcp any host 207.1.1.7 eq domain

access-list alist2 permit udp any host 207.1.1.7 eq domain

pager lines 24

logging on

logging timestamp

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 207.1.1.3 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

<--- More --->
             
ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.3 255.255.255.255 inside

pdm location 192.168.1.4 255.255.255.255 inside

pdm location 192.168.1.6 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 207.1.1.7 domain 192.168.1.3 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.7 domain 192.168.1.3 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.7 www 192.168.1.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.8 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.8 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.8 www 192.168.1.4 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 www 192.168.1.6 www netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.7 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.8 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

access-group alist in interface outside

route outside 0.0.0.0 0.0.0.0 200.50.92.193 1

timeout xlate 0:05:00

<--- More --->
             
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.32 inside

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->
             
dhcpd auto_config outside

dhcpd enable inside

terminal width 80



0
lrmooreCommented:
>told me that they had heard this was a bug in the Pix
There were some bugs in the dns fixup prior to the 6.3(5) version that you are running

>ACE not added, possible duplicate entry.
Because you already have the required entries using "domain" instead of "53"

Try increasing the max-length to 1024
  fixup protocol dns maximum-length 1024

0
blinton25Author Commented:
Hello,

So remove the domain entry? What ports does this cover?
0
lrmooreCommented:
No, keep these just exactly as you have them now because domain = 53

  access-list 101 permit tcp any host 207.1.1.7 eq domain log
  access-list 101 permit udp any host 207.1.1.7 eq domain log

Just try changing the fixup max-length
0
blinton25Author Commented:
Hi,

Note that my access-group is called alist. So are the settings for access-list actually being applied?

BrianL
0
lrmooreCommented:
Yes, you have the same thing in alist, and alist is applied correctly

 access-list alist permit udp any host 207.1.1.7 eq domain
 access-list alist permit tcp any host 207.1.1.7 eq domain

 access-group alist in interface outside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blinton25Author Commented:
Sorry, you are correct! I will try changing the max length.
0
blinton25Author Commented:
Hello,

Ok, I applied the fixup but it still isn't working. I can't connect to the DNS server when the firewall is in place.

I then tried using another computer, and noticed that even though I am assigned an IP address (192.166.1.3) via DHCP, I still can't surf.

Is there something in my config file that might be preventing connectivity?
0
blinton25Author Commented:
Hello,

Ok, I needed to restart BIND because of the change in the IP address on the server (public to private). Once I did that the DNS server started working again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.