Solved

How to configure DNS for new Firewall?

Posted on 2008-09-29
5
310 Views
Last Modified: 2012-05-05
I want to switch from our Sonicwall Pro 100 firewall to a PIX 515e.

I have configured the PIX pretty straight-forward. There are two one-to-one NAT's: one for a webserver on the DMZ and one for our email server on the LAN. I have created ACL's which allow www to both the webserver and email server as well as to allow SMTP to the email server. I have tesed the PIX several times and the problem I keep having is this: SMTP packets are not getting to my email server on the LAN.

Using nslookup, set type=mx for our domain "this.is.my.domain" returns:
this.is.my.domain     MX preference = 20, mail exchanger = my.isp.domain
this.is.my.domain     MX preference = 10, mail exchanger = mail.this.is.my.domain

nslookup mail.this.is.my.domain:
Address: X.X.X.194

The IP address X.X.X.194 is addressed to the outside interface of the Sonicwall.
I am not a DNS guru and would love some expert advice on how to get this PIX working asap. I have called my ISP to schedule any needed DNS changes on their end, as they host authoritative DNS for our domain. I just don't know what to tell them!

This is an urgent matter, as the Sonicwall has been failing and will probably not last long. I am awarding maximum points for the quickest solution.

PIX config details (I will post the full config if needed):
DMZ security 50, 192.168.1.1
WAN security 0, X.X.X.194
LAN security 100, 192.168.0.1
Email server, NAT from 192.168.0.11 to X.X.X.195
Webserver, NAT from 192.168.1.2 to X.X.X.196
0
Comment
Question by:CoSmismgr
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22602500


So you added the static NATsm good, you a lso need to craft an ACL to allow the traffic in through the PIX.

access-list WAN permit tcp any host x.x.x.195 eq 80
access-list WAN permit tcp any host x.x.x.196 eq 25
ip access-group WAN in interface WAN

harbor235 :}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602808
The bottom line is that this has nothing to do with DNS configuration on the PIX. All you have to do is configure you domain's DNS to point to right public IP address. The PIX will handle the rest.
Harbor's commands for configuring the ACLs are right except he reversed your IP addresses. Use these instead:
access-list WAN permit tcp any host x.x.x.195 eq smtp
access-list WAN permit tcp any host x.x.x.196 eq http
ip access-group WAN in interface WAN

You need much more than ACLs to make your servers accessible. Primarily static NAT statements.
static (LAN,WAN) tcp x.x.x.195 smtp 192.168.0.11 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp x.x.x.196 www 192.168.1.2 www netmask 255.255.255.255
PLEASE NOTE THIS THOUGH BEFORE YOU ENTER THESE COMMANDS - YOU SAY YOUR DOMAIN'S DNS SAYS THAT YOUR MAIL SERVER IS .194. IF THIS IS THE CASE, THEN YOU MUST CHANGE THE .195 IN THE ACLs I PROVIDED TO .194 OR IT WON'T WORK.
Also, you do own those public IP addresses .195 and .196, right?
Also, if you want other computers on the LAN to be able to access the web then you need:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 0.0.0.0 0.0.0.0
One other point - this will not get you access to the servers from the LAN interface when accessing by URL or public IP. You must add additional configuration for that but this will get you up and running immediately!
 
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22602811
I have already included the ACL for port 80 and 25. I am missing something that is preventing smtp from reaching my email server.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602812
Oh, and with the .194, if that is the case then you must change it in the static NAT as well.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22703602
Thanks pugglewuggle,

Turned out I was missing the nat statement to allow web access to LAN. All of your suggestions were correct and the PIX is online. I would like to allow access to the servers from the LAN interface when accessing by URL or public IP but will look into that now that it is functional.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now