Solved

Pix 506 nameserver passthrough

Posted on 2010-09-24
3
550 Views
Last Modified: 2012-05-10
hi guys

i have built 2 nameservers that i need to be able to get BIND requests.  please review my config and let me know what else i need to do.

thanks

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.183.141 NS2
name xxx.xxx.183.140 NS1
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 1023 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 1023 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm location 10.10.11.40 255.255.255.255 inside
pdm location 10.10.11.41 255.255.255.255 inside
pdm location NS1 255.255.255.255 outside
pdm location NS2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:5b4acd2a50600f93adef2c5a76bb8abd
: end
[OK]

Open in new window

0
Comment
Question by:johnkesoglou
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
guitar7man earned 500 total points
ID: 33756467
When you say bind requests, do you mean zone transfers or DNS queries? Or both?

What's up with these:

static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

In either case, the destination port would be 53 under normal circumstances (for queries or zone transfers) but in the statics above, they have port 1023 listed and then translate that to 53. Not sure if that's needed for your requirements.

If it was me, I'd drop the port translations and leave the access policy to the ACLs.

no static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

static (inside,outside) NS1 10.10.11.40 netmask 255.255.255.255 0 0
static (inside,outside) NS2 10.10.11.41 netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any gt 1023 host NS1 eq 53
access-list outside_access_in permit tcp any gt 1023 host NS2 eq 53
access-list outside_access_in permit udp any host NS1 eq 53
access-list outside_access_in permit udp any host NS2 eq 53

The above does not include zone transfers, just queries. Zone transfers would have a source port of 53 as well, and you'd want to lock down those zone transfer ACLs to specific source addresses.
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33756477
If you need that port 1023 pointing to domain for port translation, disregard what I posted above though.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33756538
that worked beautifully!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CCNA Data center exam questions 8 82
Radius Debug Error 16 60
Setup NAT/PAT question 3 42
Adding VPN user with Cisco RV110W changes IP address 7 26
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now