Does your access-list look like this: Access-list 100 permit udp any host a.b.c.d eq domain
Where a.b.c.d is the EXTERNAL address ? That is what I see wrong most often. Thanks Larry -----Original Message----- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Re: DNS Behind the firewall [7:53016] I am Permitting UDP / TCP port 53 on my access list on Outside Interface. Clients from the Internal LAN are able to resolve names but Internet Clients or Client on External or public LAN can not resolve DNS name, one thing i also noticed, Hit counter for access-list entry for DNS server was 0, although there was correct entry in translation table and there was no typing mistake in access-list. -- Curious MCSE, CCNP ""Mark W. Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Be sure you have the permit statement for DNS(53) applied to the > outside interface via access-list. Unless you put the DNS server in a > DMZ, you shouldn't really need access-lists applied to the inside > interface IMO. > > Whether or not you have a web server that is also running on the same > machine as DNS, or a mail server, you will need to make sure you put a > public address A record for said server in your DNS zone along with > however you choose to resolve the WWW/SMTP/POP3 Server on the > inside.... or implement the alias command on the PIX to have the PIX > auto-magically modify inside DNS requests to the public-addressed host > so that you resolve to its private address. > > Caveat to the alias command though is that with it in place, you can > only use the PIX PDM in Monitor mode- PDM doesn't support Alias > statements... You'd think Cisco would change that in the next update > to the PDM. HINT HINT Cisco!!?!? :) > > > Hope that helps. > > Mark > > -----Original Message----- > From: Curious [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 10, 2002 2:06 PM > To: [EMAIL PROTECTED] > Subject: DNS Behind the firewall [7:53016] > > My Company's DNS server resides on our External LAN (our Public LAN), > yesterday we move it to our Private LAN (Behind our PIX 515), and > Nated its Public IP address with its new Private IP Address in the > Firewall and Open > Port 53. > After all that move and settings we were able to resolve domain names > from > Private LAN but not from Public Lan or Internet. > Please let me know if some one has any idea Y.......? > > > > Curious > > MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53032&t=53016 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
