Solved

How to configure DNS for new Firewall?

Posted on 2008-09-29
5
315 Views
Last Modified: 2012-05-05
I want to switch from our Sonicwall Pro 100 firewall to a PIX 515e.

I have configured the PIX pretty straight-forward. There are two one-to-one NAT's: one for a webserver on the DMZ and one for our email server on the LAN. I have created ACL's which allow www to both the webserver and email server as well as to allow SMTP to the email server. I have tesed the PIX several times and the problem I keep having is this: SMTP packets are not getting to my email server on the LAN.

Using nslookup, set type=mx for our domain "this.is.my.domain" returns:
this.is.my.domain     MX preference = 20, mail exchanger = my.isp.domain
this.is.my.domain     MX preference = 10, mail exchanger = mail.this.is.my.domain

nslookup mail.this.is.my.domain:
Address: X.X.X.194

The IP address X.X.X.194 is addressed to the outside interface of the Sonicwall.
I am not a DNS guru and would love some expert advice on how to get this PIX working asap. I have called my ISP to schedule any needed DNS changes on their end, as they host authoritative DNS for our domain. I just don't know what to tell them!

This is an urgent matter, as the Sonicwall has been failing and will probably not last long. I am awarding maximum points for the quickest solution.

PIX config details (I will post the full config if needed):
DMZ security 50, 192.168.1.1
WAN security 0, X.X.X.194
LAN security 100, 192.168.0.1
Email server, NAT from 192.168.0.11 to X.X.X.195
Webserver, NAT from 192.168.1.2 to X.X.X.196
0
Comment
Question by:CoSmismgr
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22602500


So you added the static NATsm good, you a lso need to craft an ACL to allow the traffic in through the PIX.

access-list WAN permit tcp any host x.x.x.195 eq 80
access-list WAN permit tcp any host x.x.x.196 eq 25
ip access-group WAN in interface WAN

harbor235 :}
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22602808
The bottom line is that this has nothing to do with DNS configuration on the PIX. All you have to do is configure you domain's DNS to point to right public IP address. The PIX will handle the rest.
Harbor's commands for configuring the ACLs are right except he reversed your IP addresses. Use these instead:
access-list WAN permit tcp any host x.x.x.195 eq smtp
access-list WAN permit tcp any host x.x.x.196 eq http
ip access-group WAN in interface WAN

You need much more than ACLs to make your servers accessible. Primarily static NAT statements.
static (LAN,WAN) tcp x.x.x.195 smtp 192.168.0.11 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp x.x.x.196 www 192.168.1.2 www netmask 255.255.255.255
PLEASE NOTE THIS THOUGH BEFORE YOU ENTER THESE COMMANDS - YOU SAY YOUR DOMAIN'S DNS SAYS THAT YOUR MAIL SERVER IS .194. IF THIS IS THE CASE, THEN YOU MUST CHANGE THE .195 IN THE ACLs I PROVIDED TO .194 OR IT WON'T WORK.
Also, you do own those public IP addresses .195 and .196, right?
Also, if you want other computers on the LAN to be able to access the web then you need:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 0.0.0.0 0.0.0.0
One other point - this will not get you access to the servers from the LAN interface when accessing by URL or public IP. You must add additional configuration for that but this will get you up and running immediately!
 
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22602811
I have already included the ACL for port 80 and 25. I am missing something that is preventing smtp from reaching my email server.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602812
Oh, and with the .194, if that is the case then you must change it in the static NAT as well.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22703602
Thanks pugglewuggle,

Turned out I was missing the nat statement to allow web access to LAN. All of your suggestions were correct and the PIX is online. I would like to allow access to the servers from the LAN interface when accessing by URL or public IP but will look into that now that it is functional.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now