Re: PIX access list stops external DNS lookup
From: john stapleton (m.noon_at_tmgltd.co.uk)
Date: 10/19/03
- Next message: GuitarMan: "Re: Netgear or D-Link Cable/DSL router?"
- Previous message: Duane Arnold: "Re: Netgear or D-Link Cable/DSL router?"
- In reply to: Chris: "Re: PIX access list stops external DNS lookup"
- Next in thread: john stapleton: "Re: PIX access list stops external DNS lookup"
- Reply: john stapleton: "Re: PIX access list stops external DNS lookup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 19 Oct 2003 14:04:05 -0700
"Chris" <never@work> wrote in message news:<votj2shngaoe3a@corp.supernews.com>...
> "john stapleton" <m.noon@tmgltd.co.uk> wrote in message
> news:c7973f17.0310160809.10175113@posting.google.com...
> > I have a mail relay in a DMZ, which I want to be able to do a DNS
> > lookup on an external nameserver.
> > It and other hosts on the DMZ subnet can do this by default, but as
> > soon as I add an access-group to allow the mail host to talk to my
> > internal mail host on port 25, it stops the external querys working
> > from all hosts within the DMZ with the following message
> >
> > 2003-10-14 18:22:47 Kernel.Warning x.x.x.x %PIX-4-106023: Deny udp src
> > DMZ4:10.x.x.x/1072 dst outside:194.x.x.x/53 by access-group
> > "DMZ4_INBOUND"
> >
> > relevant bits......as follows
> >
> >
> > PIX Version 6.1(4)
> >
> > access-list DMZ4_INBOUND permit tcp host 10.x.x.x host 172.x.x.x eq
> > smtp
> >
> > global (outside) 1 81.x.x.x-81.x.x.x
> >
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >
> > static (inside,DMZ4) 172.x.x.x 172.x.x.x netmask 255.255.255.255 0 0
> >
> > access-group DMZ4_INBOUND in interface DMZ4
> >
> >
> >
> >
> > How do I get the DMZ mail host talking to the inside along with the
> > ability to query external DNS????
>
> Think about it! In order to do DNS queries your server must send UDP 53
> through the PIX on interface DMZ4 to be routed to the outside and on to the
> internet. Before you applied the ACL your server could send DNS traffic from
> the DMZ to the internet (high to low security) but it couldn't send SMTP
> from the DMZ to the inside (low to high security) without an ACL permitting
> it.
>
> Now, you have applied an access list inbound on that interface that allows
> only SMTP to 172.x.x.x and therefore blocks all other traffic. The log on
> the PIX has spelled out the problem, "Deny udp src DMZ4:10.x.x.x/1072 dst
> outside:194.x.x.x/53 by access-group "DMZ4_INBOUND". You must therefore
> allow UDP53 from 10.x.x.x to anywhere on access-list DMZ4_INBOUND.
>
> Chris.
Thanks Chris, but as i understand it you cannot do an outbound access
list on the pix???
Do you mean that applying an access list to any host within a dmz will
disable any other hosts from doing anything outside that dmz?
sorry to be dense but this one is confusing me....
access-list dmz_out permit udp host 10.x.x.x any eq domain
access-group DMZ4_DNS ??????????????????
assuming this accest-list will do the job...what would the access
group be?? i was under the impression that you can only allow " in
interface" in a access-group...ie inbound on an interface, since this
is what the pix tells you if you query it....
- Next message: GuitarMan: "Re: Netgear or D-Link Cable/DSL router?"
- Previous message: Duane Arnold: "Re: Netgear or D-Link Cable/DSL router?"
- In reply to: Chris: "Re: PIX access list stops external DNS lookup"
- Next in thread: john stapleton: "Re: PIX access list stops external DNS lookup"
- Reply: john stapleton: "Re: PIX access list stops external DNS lookup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
