I have a dns on inside using static (200.219.100.30 10.128.128.30) . The dns database is resolving names to valid IP's. The problem is the worktations from inside can't access these servers using the valid IP's.I found some docs on Cisco site about DNS Doctoring ( http://www.cisco.com/warp/public/110/alias.html )but in the cisco exemple the DNS is on outside. I need that dns send some zone forward to other dns that is inside the VPN so...if I move that dns(200.219.100.30) to outside interface he will not have access to the network 10.250.0.0(VPN). I had the same problem in other situation but I was using Checkpoint Firewall_1 and it works.
There is some way to do it work ( using DNS on iside with static ) or I need to move to outside?? CONF MAIN PIX PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security10 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password *********** encrypted passwd ********** encrypted hostname MAIN fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0 255.255.255.0 access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0 255.255.255.0 access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0 255.255.255.0 access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0 255.255.240.0 access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0 255.255.255.0 access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0 255.255.255.0 pager lines 24 logging on interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu DMZ1 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 200.219.100.2 255.255.255.0 ip address inside 10.128.159.253 255.255.224.0 ip address DMZ1 10.255.255.254 255.255.224.0 ip address intf3 10.250.11.254 255.255.255.0 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address DMZ1 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 failover ip address intf5 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 200.219.100.100-200.219.100.199 global (outside) 1 200.219.100.200 global (DMZ1) 1 10.255.224.10-10.255.224.70 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0 alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255 alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255 alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255 alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255 static (inside,outside) 200.219.100.26 10.128.128.26 netmask 255.255.255.255 0 0 static (inside,outside) 200.219.100.30 10.128.128.30 netmask 255.255.255.255 0 0 static (inside,outside) 200.219.100.31 10.128.128.32 netmask 255.255.255.255 0 0 static (inside,outside) 200.219.100.54 10.128.128.54 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 200.219.100.30 eq www any conduit permit tcp host 200.219.100.30 eq domain any conduit permit udp host 200.219.100.30 eq domain any conduit permit tcp host 200.219.100.31 eq www any conduit permit tcp host 200.219.100.31 eq domain any conduit permit udp host 200.219.100.31 eq domain any conduit permit tcp host 200.219.100.26 eq 161 any conduit permit tcp host 200.219.100.26 eq 162 any conduit permit udp host 200.219.100.26 eq snmp any conduit permit udp host 200.219.100.26 eq snmptrap any conduit permit tcp host 200.219.100.54 eq domain any conduit permit udp host 200.219.100.54 eq domain any conduit permit tcp host 200.219.100.54 eq 22 any route outside 0.0.0.0 0.0.0.0 200.219.100.1 1 route outside 10.0.64.0 255.255.224.0 10.128.159.252 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius snmp-server host inside 10.128.128.21 snmp-server location mainsite snmp-server contact support@mainsite snmp-server community pixpix snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set strong esp-des esp-sha-hmac crypto map cmap 1 ipsec-isakmp crypto map cmap 1 match address 101 crypto map cmap 1 set peer 200.200.100.2 crypto map cmap 1 set transform-set strong crypto map cmap 2 ipsec-isakmp crypto map cmap 2 match address 102 crypto map cmap 2 set peer 200.200.111.2 crypto map cmap 2 set transform-set strong crypto map cmap 3 ipsec-isakmp crypto map cmap 3 match address 103 crypto map cmap 3 set peer 200.200.222.2 crypto map cmap 3 set transform-set strong crypto map cmap 4 ipsec-isakmp crypto map cmap 4 match address 104 crypto map cmap 4 set peer 200.202.202.2 crypto map cmap 4 set transform-set strong crypto map cmap 5 ipsec-isakmp crypto map cmap 5 match address 105 crypto map cmap 5 set peer 205.205.205.2 crypto map cmap 5 set transform-set strong crypto map cmap interface outside isakmp enable outside isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 isakmp key ******** address 200.219.100.4 netmask 255.255.255.255 isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 isakmp key ******** address 200.200.222.2 netmask 255.255.255.255 isakmp key ******** address 200.202.202.2 netmask 255.255.255.255 isakmp key ******** address 205.205.205.2 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 telnet 10.128.128.0 255.255.224.0 inside telnet 10.128.128.0 255.255.224.0 DMZ1 telnet timeout 5 ssh timeout 5 CONF of office1 PIX: PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ************** encrypted passwd *********** encrypted hostname office1 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0 access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0 255.255.224.0 pager lines 24 logging on interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 200.200.100.2 255.255.255.240 ip address inside 172.16.3.252 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 200.200.100.3-200.200.100.10 global (outside) 1 200.200.100.11 nat (inside) 1 172.16.0.0 255.255.0.0 0 0 static (inside,outside) 200.200.100.12 172.16.3.25 netmask 255.255.255.255 0 0 conduit permit gre any any conduit permit icmp any any conduit permit udp host 211.211.211.251 eq domain any conduit permit tcp host 211.211.211.251 eq domain any conduit permit tcp host 211.211.211.251 eq smtp any conduit permit udp host 211.211.211.251 eq 25 any conduit permit tcp host 200.200.100.12 eq domain any conduit permit udp host 200.200.100.12 eq domain any conduit permit tcp host 200.200.100.12 eq smtp any conduit permit udp host 200.219.100.26 eq snmp any conduit permit udp host 200.219.100.26 eq snmptrap any route outside 0.0.0.0 0.0.0.0 200.200.100.1 1 route inside 172.16.15.0 255.255.255.0 172.16.3.254 1 route inside 172.17.0.0 255.255.0.0 172.16.3.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius snmp-server host outside 200.219.100.26 snmp-server location "Office1" snmp-server contact support@office1 snmp-server community pixpix snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set strong esp-des esp-sha-hmac crypto map cmap 10 ipsec-isakmp crypto map cmap 10 match address 101 crypto map cmap 10 set peer 200.200.111.2 crypto map cmap 10 set transform-set strong crypto map cmap 20 ipsec-isakmp crypto map cmap 20 match address 102 crypto map cmap 20 set peer 200.219.100.2 crypto map cmap interface outside isakmp enable outside isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 isakmp key ******** address 200.219.100.2 netmask 255.255.255.255 isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 telnet 172.16.3.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 -----Original Message----- From: Godswill HO [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 26, 2002 10:45 PM To: Dante Martins; [EMAIL PROTECTED] Subject: Re: PIX % DNS Doctoring [7:33331] Hi, It really depends on what you want to do or implement for the DNS. The DNS guard on PIX is enabled by default and it cannot be disabled not configured. It help to prevent against DoS attacks by tearing down the UDP conduit on the PIX firewall as soon as the DNS response is received not waiting until thee the default UDO timer has expire which is 2 minutes( almost an eternity in the computer world). The other doctoring you can do on DNS is on CBAC (Context Based Access Control). Here you can alter the default DNS timeout which is 5 seconds by using: #IP inspect dns-timeout It simplyly specifies the length of time a DNS name lookup session will still be managed after no activity. In case you need further help, feel free to ask specific questions. Regards. Oletu ----- Original Message ----- From: Dante Martins To: Sent: Saturday, January 26, 2002 4:58 PM Subject: PIX % DNS Doctoring [7:33331] > Somebody knows how to do DNS doctoring on PIX > I have the DNS on DMZ with static and the clients workstations are on > inside interface. > Dante > > > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs service. ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs service. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33384&t=33331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
