Hi, Check your dns doctoring alias command: alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
The order above is wrong. I assume the assigned address to the dns server is 10.128.128.30 and 200.219.100.30 is only a globally translated address. The correct order should have been: alis (inside) 10.128.128.30 200.219.100.30 255.255.255.255 This command will try to initiate the dns dosctoring from the inside client and replace all dns response having 200.219.100.30 with 10.128.128.30 and not the other way round as you initially had configured it. Contact me again where necessary. Regards. Oletu ----- Original Message ----- From: Dante Martins To: Sent: Tuesday, January 29, 2002 5:18 AM Subject: RE: PIX % DNS Doctoring [7:33331] > I have a dns on inside using static (200.219.100.30 10.128.128.30) . The > dns database is resolving names to valid IP's. The problem is the > worktations from inside can't access these servers using the valid > IP's.I found some docs on Cisco site about DNS Doctoring ( > http://www.cisco.com/warp/public/110/alias.html )but in the cisco > exemple the DNS is on outside. I need that dns send some zone forward to > other dns that is inside the VPN so...if I move that dns(200.219.100.30) > to outside interface he will not have access to the network > 10.250.0.0(VPN). I had the same problem in other situation but I was > using Checkpoint Firewall_1 and it works. > > There is some way to do it work ( using DNS on iside with static ) or I > need to move to outside?? > > > > CONF MAIN PIX > > PIX Version 6.0(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 DMZ1 security10 > nameif ethernet3 intf3 security15 > nameif ethernet4 intf4 security20 > nameif ethernet5 intf5 security25 > enable password *********** encrypted > passwd ********** encrypted > > hostname MAIN > > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > > names > access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0 > 255.255.255.0 > access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0 > 255.255.255.0 > access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0 > 255.255.255.0 > access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0 > 255.255.240.0 > access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0 > 255.255.255.0 > access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0 > 255.255.255.0 > > pager lines 24 > logging on > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > interface ethernet3 auto > interface ethernet4 auto shutdown > interface ethernet5 auto shutdown > > mtu outside 1500 > mtu inside 1500 > mtu DMZ1 1500 > mtu intf3 1500 > mtu intf4 1500 > mtu intf5 1500 > > ip address outside 200.219.100.2 255.255.255.0 > ip address inside 10.128.159.253 255.255.224.0 > ip address DMZ1 10.255.255.254 255.255.224.0 > ip address intf3 10.250.11.254 255.255.255.0 > ip address intf4 127.0.0.1 255.255.255.255 > ip address intf5 127.0.0.1 255.255.255.255 > > ip audit info action alarm > ip audit attack action alarm > > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address DMZ1 0.0.0.0 > failover ip address intf3 0.0.0.0 > failover ip address intf4 0.0.0.0 > failover ip address intf5 0.0.0.0 > > pdm history enable > arp timeout 14400 > > global (outside) 1 200.219.100.100-200.219.100.199 > global (outside) 1 200.219.100.200 > global (DMZ1) 1 10.255.224.10-10.255.224.70 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0 > > alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255 > alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255 > alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255 > alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255 > > > static (inside,outside) 200.219.100.26 10.128.128.26 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.30 10.128.128.30 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.31 10.128.128.32 netmask > 255.255.255.255 0 0 > static (inside,outside) 200.219.100.54 10.128.128.54 netmask > 255.255.255.255 0 0 > > > conduit permit icmp any any > > conduit permit tcp host 200.219.100.30 eq www any > conduit permit tcp host 200.219.100.30 eq domain any > conduit permit udp host 200.219.100.30 eq domain any > > conduit permit tcp host 200.219.100.31 eq www any > conduit permit tcp host 200.219.100.31 eq domain any > conduit permit udp host 200.219.100.31 eq domain any > > conduit permit tcp host 200.219.100.26 eq 161 any > conduit permit tcp host 200.219.100.26 eq 162 any > conduit permit udp host 200.219.100.26 eq snmp any > conduit permit udp host 200.219.100.26 eq snmptrap any > > conduit permit tcp host 200.219.100.54 eq domain any > conduit permit udp host 200.219.100.54 eq domain any > conduit permit tcp host 200.219.100.54 eq 22 any > > > route outside 0.0.0.0 0.0.0.0 200.219.100.1 1 > route outside 10.0.64.0 255.255.224.0 10.128.159.252 1 > > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > > snmp-server host inside 10.128.128.21 > snmp-server location mainsite > snmp-server contact support@mainsite > snmp-server community pixpix > snmp-server enable traps > > floodguard enable > sysopt connection permit-ipsec > sysopt ipsec pl-compatible > no sysopt route dnat > > > crypto ipsec transform-set strong esp-des esp-sha-hmac > crypto map cmap 1 ipsec-isakmp > crypto map cmap 1 match address 101 > crypto map cmap 1 set peer 200.200.100.2 > crypto map cmap 1 set transform-set strong > > crypto map cmap 2 ipsec-isakmp > crypto map cmap 2 match address 102 > crypto map cmap 2 set peer 200.200.111.2 > crypto map cmap 2 set transform-set strong > > crypto map cmap 3 ipsec-isakmp > crypto map cmap 3 match address 103 > crypto map cmap 3 set peer 200.200.222.2 > crypto map cmap 3 set transform-set strong > > crypto map cmap 4 ipsec-isakmp > crypto map cmap 4 match address 104 > crypto map cmap 4 set peer 200.202.202.2 > crypto map cmap 4 set transform-set strong > > crypto map cmap 5 ipsec-isakmp > crypto map cmap 5 match address 105 > crypto map cmap 5 set peer 205.205.205.2 > crypto map cmap 5 set transform-set strong > > crypto map cmap interface outside > > isakmp enable outside > isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 > isakmp key ******** address 200.219.100.4 netmask 255.255.255.255 > isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 > isakmp key ******** address 200.200.222.2 netmask 255.255.255.255 > isakmp key ******** address 200.202.202.2 netmask 255.255.255.255 > isakmp key ******** address 205.205.205.2 netmask 255.255.255.255 > > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > > telnet 10.128.128.0 255.255.224.0 inside > telnet 10.128.128.0 255.255.224.0 DMZ1 > telnet timeout 5 > > ssh timeout 5 > > > > > > > > CONF of office1 PIX: > > > PIX Version 6.1(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password ************** encrypted > passwd *********** encrypted > > hostname office1 > > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > > names > access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 > 255.255.255.0 > access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0 > 255.255.224.0 > pager lines 24 > > logging on > interface ethernet0 auto > interface ethernet1 auto > > mtu outside 1500 > mtu inside 1500 > > ip address outside 200.200.100.2 255.255.255.240 > ip address inside 172.16.3.252 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > > pdm history enable > arp timeout 14400 > global (outside) 1 200.200.100.3-200.200.100.10 > global (outside) 1 200.200.100.11 > > nat (inside) 1 172.16.0.0 255.255.0.0 0 0 > > static (inside,outside) 200.200.100.12 172.16.3.25 netmask > 255.255.255.255 0 0 > > conduit permit gre any any > conduit permit icmp any any > > conduit permit udp host 211.211.211.251 eq domain any > conduit permit tcp host 211.211.211.251 eq domain any > conduit permit tcp host 211.211.211.251 eq smtp any > conduit permit udp host 211.211.211.251 eq 25 any > > conduit permit tcp host 200.200.100.12 eq domain any > conduit permit udp host 200.200.100.12 eq domain any > conduit permit tcp host 200.200.100.12 eq smtp any > > conduit permit udp host 200.219.100.26 eq snmp any > conduit permit udp host 200.219.100.26 eq snmptrap any > > route outside 0.0.0.0 0.0.0.0 200.200.100.1 1 > route inside 172.16.15.0 255.255.255.0 172.16.3.254 1 > route inside 172.17.0.0 255.255.0.0 172.16.3.254 1 > > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > > snmp-server host outside 200.219.100.26 > snmp-server location "Office1" > snmp-server contact support@office1 > snmp-server community pixpix > snmp-server enable traps > > floodguard enable > sysopt connection permit-ipsec > sysopt ipsec pl-compatible > no sysopt route dnat > > crypto ipsec transform-set strong esp-des esp-sha-hmac > crypto map cmap 10 ipsec-isakmp > crypto map cmap 10 match address 101 > crypto map cmap 10 set peer 200.200.111.2 > > crypto map cmap 10 set transform-set strong > crypto map cmap 20 ipsec-isakmp > crypto map cmap 20 match address 102 > crypto map cmap 20 set peer 200.219.100.2 > > crypto map cmap interface outside > > isakmp enable outside > isakmp key ******** address 200.200.111.2 netmask 255.255.255.255 > isakmp key ******** address 200.219.100.2 netmask 255.255.255.255 > isakmp key ******** address 200.200.100.2 netmask 255.255.255.255 > > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 3600 > > telnet 172.16.3.0 255.255.255.0 inside > telnet timeout 5 > ssh timeout 5 > terminal width 80 > > -----Original Message----- > From: Godswill HO [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 26, 2002 7:43 PM > To: [EMAIL PROTECTED] > Subject: Re: PIX % DNS Doctoring [7:33331] > > > Hi, > > It really depends on what you want to do or implement for the DNS. The > DNS > guard on PIX is enabled by default and it cannot be disabled not > configured. > It help to prevent against DoS attacks by tearing down the UDP conduit > on > the PIX firewall as soon as the DNS response is received not waiting > until > thee the default UDO timer has expire which is 2 minutes( almost an > eternity > in the computer world). > > The other doctoring you can do on DNS is on CBAC (Context Based Access > Control). Here you can alter the default DNS timeout which is 5 seconds > by > using: > > #IP inspect dns-timeout > > It simplyly specifies the length of time a DNS name lookup session will > still be managed after no activity. > > In case you need further help, feel free to ask specific questions. > > Regards. > Oletu > > ----- Original Message ----- > From: Dante Martins > To: > Sent: Saturday, January 26, 2002 4:58 PM > Subject: PIX % DNS Doctoring [7:33331] > > > > Somebody knows how to do DNS doctoring on PIX > > I have the DNS on DMZ with static and the clients workstations are on > > inside interface. > > Dante > > > > > > > ________________________________________________________________________ > > This email has been scanned for all viruses by the MessageLabs > service. > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. > > ________________________________________________________________________ > This email has been scanned for all viruses by the MessageLabs service. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33673&t=33331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
