RE: DNS at PIX [7:55444]
you have to enable dhcp server first ( it is part of DHCP options). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55535t=55444 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS and Pix ... very wierd problem [7:40387]
First I would enable logging buffer error and check sh log from time to time. The real help would be the sniffer here. If you could install sniffer on the outside and inside of the PIX and capture DNS packets, that would be something that will probably give you an answer where the problem is. I had one issue another day where PIX was dropping SYN ACK packets, and there only way we found the problem is using the sniffer (SYN packet was apparently bypassing the PIX, when everybody swore that it could not). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Justin C Sent: Wednesday, April 03, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: DNS and Pix ... very wierd problem [7:40387] Group, The Pix 501 is running the default NAT/PAT configuration. Through it, I can check email using Outlook to talk to an Exchange Server, telnet and SSH to devices, and browse the web provided I type in the ip address of the web server. All requests for URL translation by a DNS server fail. The IP configuration (addresses, gateways, DNS servers) are correct. The Pix is direct to the cloud with only one PC behind it. Using Debug Packet, I have confirmed that requests for DNS translations go out and come back to the Pix (on the outside interface), but they do not seem to make it back to the host that originated the request. The code is 6.1(1), and I have contacted TAC. With SSH, TAC has inspected the box and cannot see a problem with the configuration. Nor can they explain why this is occuring. Before sending it back to Cisco for a replacement, I thought I would ask here to see if anyone has run across this. There are no access-lists or conduit statements, but Cisco (the Pix literature) and Cisco Press (Cisco Secure PIX Firewalls) say that they are unnecessary for this very simple setup. My thanks in advance for your time and input. Regards, Justin _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40404t=40387 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS and Pix ... very wierd problem [7:40387]
I had problems using Microsoft DNS servers and PIX. It would work for about a week before I had to reboot the PIX. Cisco could never tell me what was wrong and I finally resolved it by installing BIND to forward all external queries. Leonard Tan - Original Message - From: Lidiya White To: Sent: Wednesday, April 03, 2002 4:54 PM Subject: RE: DNS and Pix ... very wierd problem [7:40387] First I would enable logging buffer error and check sh log from time to time. The real help would be the sniffer here. If you could install sniffer on the outside and inside of the PIX and capture DNS packets, that would be something that will probably give you an answer where the problem is. I had one issue another day where PIX was dropping SYN ACK packets, and there only way we found the problem is using the sniffer (SYN packet was apparently bypassing the PIX, when everybody swore that it could not). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Justin C Sent: Wednesday, April 03, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: DNS and Pix ... very wierd problem [7:40387] Group, The Pix 501 is running the default NAT/PAT configuration. Through it, I can check email using Outlook to talk to an Exchange Server, telnet and SSH to devices, and browse the web provided I type in the ip address of the web server. All requests for URL translation by a DNS server fail. The IP configuration (addresses, gateways, DNS servers) are correct. The Pix is direct to the cloud with only one PC behind it. Using Debug Packet, I have confirmed that requests for DNS translations go out and come back to the Pix (on the outside interface), but they do not seem to make it back to the host that originated the request. The code is 6.1(1), and I have contacted TAC. With SSH, TAC has inspected the box and cannot see a problem with the configuration. Nor can they explain why this is occuring. Before sending it back to Cisco for a replacement, I thought I would ask here to see if anyone has run across this. There are no access-lists or conduit statements, but Cisco (the Pix literature) and Cisco Press (Cisco Secure PIX Firewalls) say that they are unnecessary for this very simple setup. My thanks in advance for your time and input. Regards, Justin _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40413t=40387 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS and PIX
You can put it in either place, but I would put it behind the PIX. You can create a conduit for it and only allow it to use port 53 (tcp and udp). I hope you have more than one dns server. And if you don't already use the split dns concept, I'd give that some serious thought. kelly Quoting Austin [EMAIL PROTECTED]: We have our own Web Server with a legal ip address which is NAT'd (is that a word?) from our LAN to the outside? Where do I put the DNS Server? Behind the PIX on the LAN (inside interface) or the outside interface? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]