Solved

How to configure DNS for new Firewall?

Posted on 2008-09-29
5
325 Views
Last Modified: 2012-05-05
I want to switch from our Sonicwall Pro 100 firewall to a PIX 515e.

I have configured the PIX pretty straight-forward. There are two one-to-one NAT's: one for a webserver on the DMZ and one for our email server on the LAN. I have created ACL's which allow www to both the webserver and email server as well as to allow SMTP to the email server. I have tesed the PIX several times and the problem I keep having is this: SMTP packets are not getting to my email server on the LAN.

Using nslookup, set type=mx for our domain "this.is.my.domain" returns:
this.is.my.domain     MX preference = 20, mail exchanger = my.isp.domain
this.is.my.domain     MX preference = 10, mail exchanger = mail.this.is.my.domain

nslookup mail.this.is.my.domain:
Address: X.X.X.194

The IP address X.X.X.194 is addressed to the outside interface of the Sonicwall.
I am not a DNS guru and would love some expert advice on how to get this PIX working asap. I have called my ISP to schedule any needed DNS changes on their end, as they host authoritative DNS for our domain. I just don't know what to tell them!

This is an urgent matter, as the Sonicwall has been failing and will probably not last long. I am awarding maximum points for the quickest solution.

PIX config details (I will post the full config if needed):
DMZ security 50, 192.168.1.1
WAN security 0, X.X.X.194
LAN security 100, 192.168.0.1
Email server, NAT from 192.168.0.11 to X.X.X.195
Webserver, NAT from 192.168.1.2 to X.X.X.196
0
Comment
Question by:CoSmismgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22602500


So you added the static NATsm good, you a lso need to craft an ACL to allow the traffic in through the PIX.

access-list WAN permit tcp any host x.x.x.195 eq 80
access-list WAN permit tcp any host x.x.x.196 eq 25
ip access-group WAN in interface WAN

harbor235 :}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602808
The bottom line is that this has nothing to do with DNS configuration on the PIX. All you have to do is configure you domain's DNS to point to right public IP address. The PIX will handle the rest.
Harbor's commands for configuring the ACLs are right except he reversed your IP addresses. Use these instead:
access-list WAN permit tcp any host x.x.x.195 eq smtp
access-list WAN permit tcp any host x.x.x.196 eq http
ip access-group WAN in interface WAN

You need much more than ACLs to make your servers accessible. Primarily static NAT statements.
static (LAN,WAN) tcp x.x.x.195 smtp 192.168.0.11 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp x.x.x.196 www 192.168.1.2 www netmask 255.255.255.255
PLEASE NOTE THIS THOUGH BEFORE YOU ENTER THESE COMMANDS - YOU SAY YOUR DOMAIN'S DNS SAYS THAT YOUR MAIL SERVER IS .194. IF THIS IS THE CASE, THEN YOU MUST CHANGE THE .195 IN THE ACLs I PROVIDED TO .194 OR IT WON'T WORK.
Also, you do own those public IP addresses .195 and .196, right?
Also, if you want other computers on the LAN to be able to access the web then you need:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 0.0.0.0 0.0.0.0
One other point - this will not get you access to the servers from the LAN interface when accessing by URL or public IP. You must add additional configuration for that but this will get you up and running immediately!
 
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22602811
I have already included the ACL for port 80 and 25. I am missing something that is preventing smtp from reaching my email server.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602812
Oh, and with the .194, if that is the case then you must change it in the static NAT as well.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22703602
Thanks pugglewuggle,

Turned out I was missing the nat statement to allow web access to LAN. All of your suggestions were correct and the PIX is online. I would like to allow access to the servers from the LAN interface when accessing by URL or public IP but will look into that now that it is functional.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question