Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Pix 506 nameserver passthrough

Posted on 2010-09-24
3
Medium Priority
?
563 Views
Last Modified: 2012-05-10
hi guys

i have built 2 nameservers that i need to be able to get BIND requests.  please review my config and let me know what else i need to do.

thanks

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.183.141 NS2
name xxx.xxx.183.140 NS1
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 1023 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 1023 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm location 10.10.11.40 255.255.255.255 inside
pdm location 10.10.11.41 255.255.255.255 inside
pdm location NS1 255.255.255.255 outside
pdm location NS2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:5b4acd2a50600f93adef2c5a76bb8abd
: end
[OK]

Open in new window

0
Comment
Question by:johnkesoglou
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
guitar7man earned 2000 total points
ID: 33756467
When you say bind requests, do you mean zone transfers or DNS queries? Or both?

What's up with these:

static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

In either case, the destination port would be 53 under normal circumstances (for queries or zone transfers) but in the statics above, they have port 1023 listed and then translate that to 53. Not sure if that's needed for your requirements.

If it was me, I'd drop the port translations and leave the access policy to the ACLs.

no static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

static (inside,outside) NS1 10.10.11.40 netmask 255.255.255.255 0 0
static (inside,outside) NS2 10.10.11.41 netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any gt 1023 host NS1 eq 53
access-list outside_access_in permit tcp any gt 1023 host NS2 eq 53
access-list outside_access_in permit udp any host NS1 eq 53
access-list outside_access_in permit udp any host NS2 eq 53

The above does not include zone transfers, just queries. Zone transfers would have a source port of 53 as well, and you'd want to lock down those zone transfer ACLs to specific source addresses.
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33756477
If you need that port 1023 pointing to domain for port translation, disregard what I posted above though.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33756538
that worked beautifully!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question