Re: PIX 501 Firewall and DNS

From: Matthew Melbourne (matt_at_n0spam.melbourne.org.uk)
Date: 10/04/03

• Next message: Len S: "Re: Help w/ Zone Alarm"
• Previous message: Invisible Dance: "Re: Trackers Second Review Response"
• In reply to: Sue: "Re: PIX 501 Firewall and DNS"
• Next in thread: Matthew Melbourne: "Re: PIX 501 Firewall and DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 03 Oct 2003 22:51:19 GMT

In article <%Bkfb.37824$A%3.488200@ord-read.news.verio.net>,
   Sue <sue.biedling@visa-master.com> wrote:
> Matt - Our DNS is configured EXACTLY as you said it should be below.
>
> All workstations used to point happily to the DC, the DC has the ISP's
> DNS address as forwards, and the workstations all make dynamic
> registrations into the Windows 2000 DNS.
>
> However...we installed the Cisco Pix. It was midnight on a Tuesday by
> the time I got done with the technician setting this up. But, we could
> NOT connect to the internet after that. As a quick fix, I hardcoded the
> ISP's DNS on all workstations.
>
> Now...my question is....What do I have to do on the PIX to make this
> right again? You mentioned that on the PIX, I would need to permit DNS
> traffic between the DC(s) and the ISPs' DNS servers. How is that done?
> Cisco will not help me.

By default, the PIX will allow all traffic to flow from a high security
interface (inside interface) to a lower security interface (outside
interface), unless any access-lists are applied to the higher security
interface. If an access-list is applied to the inside interface, then
entries would be required to permit DNS traffic. Are access-lists applied
to interfaces?

Should all external traffic now flow through the PIX? Is there a default
route on the DC pointing to the inside interface of the PIX? Can you
resolve external addresses on the DC itself? Was Internet access provided
before the introduction of the PIX, and if so, how?

Having the PIX temporarily acting as a DHCP server would have created a
segment containing two DHCP servers, which is not helpful. However, it
shouldn't have affected any configuration on the DC.

Cheers,

Matt

-- 
Matthew Melbourne

---

• Next message: Len S: "Re: Help w/ Zone Alarm"
• Previous message: Invisible Dance: "Re: Trackers Second Review Response"
• In reply to: Sue: "Re: PIX 501 Firewall and DNS"
• Next in thread: Matthew Melbourne: "Re: PIX 501 Firewall and DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP ... on the 'static' statement for the server, add the 'dns' keyword. ... The catch is that the two interfaces cannot have the same IP subnet, ... of the external interface. ... then the PIX wouldn't know which interface to send it towards. ... (comp.dcom.sys.cisco) Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP ... on the 'static' statement for the server, add the 'dns' keyword. ... of the external interface. ... PIX in general can have ... (comp.dcom.sys.cisco) Re: Bandwidth consumption ... I suggest running combination of perfmon.exe (with Network Interface ... Shut down the new DNS update service and see if that mekes any difference. ... Shut down one of the workstations and see if that makes difference. ... (microsoft.public.security) Re: Which TCP/IP settings critical to join domain? ... the DCs are not configured with DNS. ... > the remote workstations lacked, ... > - workstations on the local subnet had no difficulty finding/joining yyy ... (microsoft.public.win2000.networking) Re: Internet Access problems in Fedora Core 4 ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ... (comp.os.linux.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)