Solved

Pix 506 nameserver passthrough

Posted on 2010-09-24
3
543 Views
Last Modified: 2012-05-10
hi guys

i have built 2 nameservers that i need to be able to get BIND requests.  please review my config and let me know what else i need to do.

thanks

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.183.141 NS2
name xxx.xxx.183.140 NS1
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 1023 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 1023 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm location 10.10.11.40 255.255.255.255 inside
pdm location 10.10.11.41 255.255.255.255 inside
pdm location NS1 255.255.255.255 outside
pdm location NS2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:5b4acd2a50600f93adef2c5a76bb8abd
: end
[OK]

Open in new window

0
Comment
Question by:johnkesoglou
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
guitar7man earned 500 total points
ID: 33756467
When you say bind requests, do you mean zone transfers or DNS queries? Or both?

What's up with these:

static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

In either case, the destination port would be 53 under normal circumstances (for queries or zone transfers) but in the statics above, they have port 1023 listed and then translate that to 53. Not sure if that's needed for your requirements.

If it was me, I'd drop the port translations and leave the access policy to the ACLs.

no static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

static (inside,outside) NS1 10.10.11.40 netmask 255.255.255.255 0 0
static (inside,outside) NS2 10.10.11.41 netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any gt 1023 host NS1 eq 53
access-list outside_access_in permit tcp any gt 1023 host NS2 eq 53
access-list outside_access_in permit udp any host NS1 eq 53
access-list outside_access_in permit udp any host NS2 eq 53

The above does not include zone transfers, just queries. Zone transfers would have a source port of 53 as well, and you'd want to lock down those zone transfer ACLs to specific source addresses.
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33756477
If you need that port 1023 pointing to domain for port translation, disregard what I posted above though.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33756538
that worked beautifully!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now