Cisco PIX - DNS Issue when using VPN (Public IP received in reply when pinging internal hosts)

I inherited a Cisco PIX firewall running IOS 6.3. VPN is configured and working fine however I noticed an issue when logged into VPN. When pinging an internal host with a private IP address, I get the associated public IP address of the server.

For example, when pinging domain.local which should have an IP address of (192.168.1.25) I get a response of 74.x.x.x. Interesting fact is that this only happens for servers which have a static mapping of external IP to internal IP such as Microsoft Exchange.

This is causing issues when trying to resolve internal IP address of my exchange.

When running ipconfig i see the correct DNS server listed. Any direction where to begin would be appreciated.
LVL 2
bbwondersAsked:
Who is Participating?
 
bbwondersConnect With a Mentor Author Commented:
I was able to resolve this myself by removing the alias for the IP on the PIX.
0
 
ugnvsCommented:
To begin with...

Try nslookup your local exchange against DNS server which is configured at your workstation. If it would return public IP address of exchange then there are chances that it is configured in your local DNS. If not, then check host file at your workstation. The idea is to determine a source of dns response. The final variant though very unlikely is that your domain.local is really configured at public DNS in the Internet and your local DNS forwards requests to the Internet. I.e. you may check your DNS resolution in detail.
0
 
bbwondersAuthor Commented:
Actually I checked all of that even before i posted.

When doing an Nslookup set type=A for my exchange server using my own workstation or any workstation that is connected to VPN I get the public IP of the server instead of the private IP.

Also I checked the DNS forwarders on my DNS server and its not being forwarded to my ISP's DNS. Plus .local is not a valid top level domain.

I still think it has something to do with the PIX firewall modifying the address.
Default Server:  dns.domain.local
Address:  192.168.0.20

> set type=A
> exchange.domain.local
Server:  dns.domain.local
Address:  192.168.0.20

Name:    exchange.domain.local
Address:  74.x.x.x

Open in new window

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
bbwondersAuthor Commented:
Anyone?
0
 
ugnvsCommented:
If your workstation IP config does not use your PIX as DNS then it has nothing to do with that case.  And anyway, if PIX serves as DNS or not, the text which you have posted makes me thihk that your local DNS server configuration contains A record for exchange.domain.local with public address.
0
 
bbwondersAuthor Commented:
Ok then riddle me this.

When i do an nslookup from a host that is internal and not connected to VPN (I RDP in the box) and is using the same DNS, how come I am getting an IP that is internal.

When i do a nslookup (not necessarily my computer) any machine connecting via VPN, the same DNS is providing a public IP address.

I am lost now....
0
 
vreinaldoCommented:
Hello there,

Verify your NONAT statment, once i was dealing with this problem, and the issue was in the no nat.

If you see everything OK, try to post your config, to see if there's other problem causing this.!



0
 
bbwondersAuthor Commented:
Good catch, I see the NoNAT statement in there also interestingly i see an alias for my host 192.168.0.20 to my public IP of 74.x.x.x.x

I think thats where its coming from. Not sure why Alias is being used. See config below, I have edited it for security reasons of course.

Any direction would be appreciated.
sh access-list
access-list NoNAT; 1 elements
access-list NoNAT line 1 permit ip 192.168.0.0 255.255.255.0 172.x.x.x 255.255.255.0

sh run
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.0.20 74.x.x.x 255.255.255.255
static (inside,outside) 74.x.x.x 192.168.0.20 netmask 255.255.255.255 0 0

Open in new window

0
All Courses

From novice to tech pro — start learning today.