Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Pix 506 nameserver passthrough

hi guys

i have built 2 nameservers that i need to be able to get BIND requests.  please review my config and let me know what else i need to do.

thanks

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.183.141 NS2
name xxx.xxx.183.140 NS1
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS1 eq 1023 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host NS2 eq 1023 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm location 10.10.11.40 255.255.255.255 inside
pdm location 10.10.11.41 255.255.255.255 inside
pdm location NS1 255.255.255.255 outside
pdm location NS2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0 
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:5b4acd2a50600f93adef2c5a76bb8abd
: end
[OK]

Open in new window

0
johnkesoglou
Asked:
johnkesoglou
  • 2
1 Solution
 
guitar7manCommented:
When you say bind requests, do you mean zone transfers or DNS queries? Or both?

What's up with these:

static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

In either case, the destination port would be 53 under normal circumstances (for queries or zone transfers) but in the statics above, they have port 1023 listed and then translate that to 53. Not sure if that's needed for your requirements.

If it was me, I'd drop the port translations and leave the access policy to the ACLs.

no static (inside,outside) tcp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS1 3389 10.10.11.40 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 3389 10.10.11.41 3389 netmask 255.255.255.255 0 0
no static (inside,outside) tcp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS1 1023 10.10.11.40 domain netmask 255.255.255.255 0 0
no static (inside,outside) udp NS2 1023 10.10.11.41 domain netmask 255.255.255.255 0 0

static (inside,outside) NS1 10.10.11.40 netmask 255.255.255.255 0 0
static (inside,outside) NS2 10.10.11.41 netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any gt 1023 host NS1 eq 53
access-list outside_access_in permit tcp any gt 1023 host NS2 eq 53
access-list outside_access_in permit udp any host NS1 eq 53
access-list outside_access_in permit udp any host NS2 eq 53

The above does not include zone transfers, just queries. Zone transfers would have a source port of 53 as well, and you'd want to lock down those zone transfer ACLs to specific source addresses.
0
 
guitar7manCommented:
If you need that port 1023 pointing to domain for port translation, disregard what I posted above though.
0
 
johnkesoglouAuthor Commented:
that worked beautifully!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now