Solved

How to configure DNS for new Firewall?

Posted on 2008-09-29
5
320 Views
Last Modified: 2012-05-05
I want to switch from our Sonicwall Pro 100 firewall to a PIX 515e.

I have configured the PIX pretty straight-forward. There are two one-to-one NAT's: one for a webserver on the DMZ and one for our email server on the LAN. I have created ACL's which allow www to both the webserver and email server as well as to allow SMTP to the email server. I have tesed the PIX several times and the problem I keep having is this: SMTP packets are not getting to my email server on the LAN.

Using nslookup, set type=mx for our domain "this.is.my.domain" returns:
this.is.my.domain     MX preference = 20, mail exchanger = my.isp.domain
this.is.my.domain     MX preference = 10, mail exchanger = mail.this.is.my.domain

nslookup mail.this.is.my.domain:
Address: X.X.X.194

The IP address X.X.X.194 is addressed to the outside interface of the Sonicwall.
I am not a DNS guru and would love some expert advice on how to get this PIX working asap. I have called my ISP to schedule any needed DNS changes on their end, as they host authoritative DNS for our domain. I just don't know what to tell them!

This is an urgent matter, as the Sonicwall has been failing and will probably not last long. I am awarding maximum points for the quickest solution.

PIX config details (I will post the full config if needed):
DMZ security 50, 192.168.1.1
WAN security 0, X.X.X.194
LAN security 100, 192.168.0.1
Email server, NAT from 192.168.0.11 to X.X.X.195
Webserver, NAT from 192.168.1.2 to X.X.X.196
0
Comment
Question by:CoSmismgr
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22602500


So you added the static NATsm good, you a lso need to craft an ACL to allow the traffic in through the PIX.

access-list WAN permit tcp any host x.x.x.195 eq 80
access-list WAN permit tcp any host x.x.x.196 eq 25
ip access-group WAN in interface WAN

harbor235 :}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602808
The bottom line is that this has nothing to do with DNS configuration on the PIX. All you have to do is configure you domain's DNS to point to right public IP address. The PIX will handle the rest.
Harbor's commands for configuring the ACLs are right except he reversed your IP addresses. Use these instead:
access-list WAN permit tcp any host x.x.x.195 eq smtp
access-list WAN permit tcp any host x.x.x.196 eq http
ip access-group WAN in interface WAN

You need much more than ACLs to make your servers accessible. Primarily static NAT statements.
static (LAN,WAN) tcp x.x.x.195 smtp 192.168.0.11 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp x.x.x.196 www 192.168.1.2 www netmask 255.255.255.255
PLEASE NOTE THIS THOUGH BEFORE YOU ENTER THESE COMMANDS - YOU SAY YOUR DOMAIN'S DNS SAYS THAT YOUR MAIL SERVER IS .194. IF THIS IS THE CASE, THEN YOU MUST CHANGE THE .195 IN THE ACLs I PROVIDED TO .194 OR IT WON'T WORK.
Also, you do own those public IP addresses .195 and .196, right?
Also, if you want other computers on the LAN to be able to access the web then you need:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 0.0.0.0 0.0.0.0
One other point - this will not get you access to the servers from the LAN interface when accessing by URL or public IP. You must add additional configuration for that but this will get you up and running immediately!
 
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22602811
I have already included the ACL for port 80 and 25. I am missing something that is preventing smtp from reaching my email server.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602812
Oh, and with the .194, if that is the case then you must change it in the static NAT as well.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22703602
Thanks pugglewuggle,

Turned out I was missing the nat statement to allow web access to LAN. All of your suggestions were correct and the PIX is online. I would like to allow access to the servers from the LAN interface when accessing by URL or public IP but will look into that now that it is functional.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 186
Sonicwall Possible port scan dropped 5 80
GRE Trunnel with IPsec Encryption Issue 3 87
Palo Alto Networks - find the sec zone 3 77
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question