Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to configure DNS for new Firewall?

Posted on 2008-09-29
5
Medium Priority
?
330 Views
Last Modified: 2012-05-05
I want to switch from our Sonicwall Pro 100 firewall to a PIX 515e.

I have configured the PIX pretty straight-forward. There are two one-to-one NAT's: one for a webserver on the DMZ and one for our email server on the LAN. I have created ACL's which allow www to both the webserver and email server as well as to allow SMTP to the email server. I have tesed the PIX several times and the problem I keep having is this: SMTP packets are not getting to my email server on the LAN.

Using nslookup, set type=mx for our domain "this.is.my.domain" returns:
this.is.my.domain     MX preference = 20, mail exchanger = my.isp.domain
this.is.my.domain     MX preference = 10, mail exchanger = mail.this.is.my.domain

nslookup mail.this.is.my.domain:
Address: X.X.X.194

The IP address X.X.X.194 is addressed to the outside interface of the Sonicwall.
I am not a DNS guru and would love some expert advice on how to get this PIX working asap. I have called my ISP to schedule any needed DNS changes on their end, as they host authoritative DNS for our domain. I just don't know what to tell them!

This is an urgent matter, as the Sonicwall has been failing and will probably not last long. I am awarding maximum points for the quickest solution.

PIX config details (I will post the full config if needed):
DMZ security 50, 192.168.1.1
WAN security 0, X.X.X.194
LAN security 100, 192.168.0.1
Email server, NAT from 192.168.0.11 to X.X.X.195
Webserver, NAT from 192.168.1.2 to X.X.X.196
0
Comment
Question by:CoSmismgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22602500


So you added the static NATsm good, you a lso need to craft an ACL to allow the traffic in through the PIX.

access-list WAN permit tcp any host x.x.x.195 eq 80
access-list WAN permit tcp any host x.x.x.196 eq 25
ip access-group WAN in interface WAN

harbor235 :}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 2000 total points
ID: 22602808
The bottom line is that this has nothing to do with DNS configuration on the PIX. All you have to do is configure you domain's DNS to point to right public IP address. The PIX will handle the rest.
Harbor's commands for configuring the ACLs are right except he reversed your IP addresses. Use these instead:
access-list WAN permit tcp any host x.x.x.195 eq smtp
access-list WAN permit tcp any host x.x.x.196 eq http
ip access-group WAN in interface WAN

You need much more than ACLs to make your servers accessible. Primarily static NAT statements.
static (LAN,WAN) tcp x.x.x.195 smtp 192.168.0.11 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp x.x.x.196 www 192.168.1.2 www netmask 255.255.255.255
PLEASE NOTE THIS THOUGH BEFORE YOU ENTER THESE COMMANDS - YOU SAY YOUR DOMAIN'S DNS SAYS THAT YOUR MAIL SERVER IS .194. IF THIS IS THE CASE, THEN YOU MUST CHANGE THE .195 IN THE ACLs I PROVIDED TO .194 OR IT WON'T WORK.
Also, you do own those public IP addresses .195 and .196, right?
Also, if you want other computers on the LAN to be able to access the web then you need:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 0.0.0.0 0.0.0.0
One other point - this will not get you access to the servers from the LAN interface when accessing by URL or public IP. You must add additional configuration for that but this will get you up and running immediately!
 
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22602811
I have already included the ACL for port 80 and 25. I am missing something that is preventing smtp from reaching my email server.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602812
Oh, and with the .194, if that is the case then you must change it in the static NAT as well.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22703602
Thanks pugglewuggle,

Turned out I was missing the nat statement to allow web access to LAN. All of your suggestions were correct and the PIX is online. I would like to allow access to the servers from the LAN interface when accessing by URL or public IP but will look into that now that it is functional.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question