Re: Unable to make DNS requests from inside the DMZ
- From: "Trendkill" <jpmason@xxxxxxxxx>
- Date: 15 Mar 2007 12:46:36 -0700
On Mar 15, 3:43 pm, "Trendkill" <jpma...@xxxxxxxxx> wrote:
On Mar 15, 3:30 pm, "Chris" <chriswalt...@xxxxxxxxx> wrote:
On Mar 15, 3:21 pm, "Trendkill" <jpma...@xxxxxxxxx> wrote:
On Mar 15, 3:14 pm, "Chris" <chriswalt...@xxxxxxxxx> wrote:
I inherited a LAN with a not-very-well documented DMZ. My DNS server
is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's
default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ
client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX
is a 525 runnign PIX OS 6.3(5).
In order for the DMZ client to be able to access HTTP and DNS ports on
the DNS server, I have the following ACL rules in place:
access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www
access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq
domain
access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq
domain
static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
255.255.255.255 0 0
static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain
netmask 255.255.255.255 0 0
static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain
netmask 255.255.255.255 0 0
I have both UDP & TCP permitted on port 53, so DNS requests from the
DMZ to Inside should work. But they don't seem to! HTTP requests from
the DMZ ot Inside function correctly. Interestingly, I can telnet to
the DNS port on the server from the DMZ, I just can't actually make
requests. Like so:
$ telnet 172.30.1.159 53
Trying 172.30.1.159...
Connected to 172.30.1.159.
Escape character is '^]'.
AS<KDJASKLDJAKLSDJKLASJDASD
^]
telnet> quit
Connection to 172.30.1.159 closed.
$ nslookup
*** Can't find server name for address 172.30.1.159: Non-existent host/
domain
*** Default servers are not available
Am I missing something obvious here? The PIX has fixup enabled for
both HTTP and DNS. I've tried enabling the "listen-on" option on the
BIND server (v8), but to no avail.
Thanks,
Chris
Why do you have 172.30.1.159 in your static route configs? I didn't
see this IP anywhere? Don't you mean 172.16.1.159 or 172.30.1.3?
Forgive me if its a dumb question, not an expert when it comes to
PIX.....
I'm not sure why this was set up the way it was in the first place,
but the way I see it is that 172.16.1.159 is the "inside" IP for a
server, and 172.30.1.159 is it's "virtual" DMZ IP for the same server.
I can add new ACLs and statics to get other services working (e.g.
FTP), just not DNS...
Chris
It looks to me from the error that is has something to do with the
local box. See this post on another forum related to reverse zone
lookups. It does not look like a pix/routing issue to me.
http://www.pcreview.co.uk/forums/thread-1473940.php
Here is another link re: sun since it looks like you are running nix.
http://www.clip.dia.fi.upm.es/~alopez/solaris/sun-managers7/0074.html
.
- References:
- Unable to make DNS requests from inside the DMZ
- From: Chris
- Re: Unable to make DNS requests from inside the DMZ
- From: Trendkill
- Re: Unable to make DNS requests from inside the DMZ
- From: Chris
- Re: Unable to make DNS requests from inside the DMZ
- From: Trendkill
- Unable to make DNS requests from inside the DMZ
- Prev by Date: Re: Unable to make DNS requests from inside the DMZ
- Next by Date: Re: Slow Point to Point T1 Access Please Help
- Previous by thread: Re: Unable to make DNS requests from inside the DMZ
- Next by thread: Re: Unable to make DNS requests from inside the DMZ
- Index(es):
Relevant Pages
|
