| Author |
Message |
Guest
|
 Posted:
Mon Oct 31, 2005 5:21 pm Post subject:
PIX 501 firewall - DNS problem |
|
|
Hello all,
I am new to PIX so you all have to bear with me.
I am having problem with remote office which has few workstations with
no server. Remote office which uses PIX 501 firewall can't seem to
resolve computer names. Internet works fine and it also can ping the
main office computers with the IP address. But I am not able to user
\\servername\sharename and can't ping computer name. For temporarily
I made those workstations to use HOST file and it is working but I want
them to use DNS.
Any help on this regard is appreciated. Thanks |
|
| Back to top |
|
 |
Walter Roberson
Guest
|
| Posted:
Mon Oct 31, 2005 5:21 pm Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
In article <1130773557.821617.154020@f14g2000cwb.googlegroups.com>,
<wizonline@gmail.com> wrote:
:I am new to PIX so you all have to bear with me.
For future reference: most PIX discussion takes place in
comp.dcom.sys.cisco
:I am having problem with remote office which has few workstations with
:no server. Remote office which uses PIX 501 firewall can't seem to
:resolve computer names. Internet works fine and it also can ping the
:main office computers with the IP address. But I am not able to user
:\\servername\sharename and can't ping computer name. For temporarily
:I made those workstations to use HOST file and it is working but I want
:them to use DNS.
There are a few different possibilities depending upon the location
of the DNS servers and the traffic flows you have defined, and
the configuration of the PCs.
Generally speaking, remote \\servername\sharename problems are best
resolved by installing a WINS server and configuring the clients to
know about it.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001 |
|
| Back to top |
|
|
Guest
|
| Posted:
Mon Oct 31, 2005 5:21 pm Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
Walter, Thanks for your prompt response.
We use Windows 2003 server in main office. We only use DNS server not
WINS Server. What amazes me about this problem is that this PIX was
working well and all of the sudden one day it's not working.
We have many other users using VPN Clients and it works fine. So I
believe it's not the main office DNS or network problem. I am assuming
there is something wrong with teh remote PIX firewall.
Any more help??? |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Tue Nov 01, 2005 2:29 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
<wizonline@gmail.com> wrote in message
news:1130776134.698389.200110@g47g2000cwa.googlegroups.com...
| Quote: | Walter, Thanks for your prompt response.
We use Windows 2003 server in main office. We only use DNS server not
WINS Server. What amazes me about this problem is that this PIX was
working well and all of the sudden one day it's not working.
We have many other users using VPN Clients and it works fine. So I
believe it's not the main office DNS or network problem. I am assuming
there is something wrong with teh remote PIX firewall.
Any more help???
|
When the clients are connected remotely, they will need to have your
internal DNS number, in order to resolve internal names. So, this would
have to appear in the client setup. If the client is resolving DNS with the
ISP-provided DNS, it will not work for your internal machines.
How you implement this varies with the software package, but that's the
source of your issue. It's not on the concentrator, it's on the client.
(or whatever configuration the concentrator pushes to the client if that's
how your system works).
-Russ. |
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Nov 01, 2005 9:22 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
Russ,
Thanks for the response. Remote clients gets the DNS IP from the PIX
Firewall, where i have given the main office DNS Server IP. As i said
this setup was working fine and suddenly it stopped working. I can
still ping the main office machines IP but not with the computername.
Users who connect through the VPN Clients have the same configuration
and have no problem. Anything else I need to check?
Thanks again |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Wed Nov 02, 2005 6:19 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
<wizonline@gmail.com> wrote in message
news:1130834815.173556.313830@o13g2000cwo.googlegroups.com...
| Quote: | Russ,
Thanks for the response. Remote clients gets the DNS IP from the PIX
Firewall, where i have given the main office DNS Server IP. As i said
this setup was working fine and suddenly it stopped working. I can
still ping the main office machines IP but not with the computername.
Users who connect through the VPN Clients have the same configuration
and have no problem. Anything else I need to check?
Thanks again
|
You should start by verifying from the client via nslookup if they are
contacting and recieving replies from the correct DNS server then.
If it's down to particular machines, check local firewalls for rules
concerening TCP/UDP 53 or some sort of IPS features related do DNS. Try
stripping one of the troubled machines of it's AV, antispyware, and personal
firewall products temporarily to see if there is any difference.
-Russ. |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Nov 11, 2005 9:22 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
I did everything you told and it's still not working.
The following is the PIX Firewall Configuration: Hope to get some more
help on this.
pixfirewall# show config
: Saved
: Written by enable_15 at 22:22:54.158 UTC Thu Nov 10 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OoKFED4gphfUO6Sf encrypted
passwd OoKFED4gphfUO6Sf encrypted
hostname mark-pixfirewall
domain-name camdenassetmanagement.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment size 2000
sysopt connection tcpmss 0
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.209.203.88 10.209.203.5
dhcpd wins 10.209.203.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain camdenassetmanagement.com
dhcpd auto_config outside
dhcpd enable inside
vpnclient server XXX.XXX.XXX.X
vpnclient mode client-mode
vpnclient vpngroup camden password ********
vpnclient username mark-fw password ********
vpnclient management tunnel 10.209.203.0 255.255.255.0 10.209.206.0
255.255.255.
0 10.209.212.0 255.255.255.0
vpnclient enable
terminal width 80
Cryptochecksum:ecca093d75796c47760fdbe4d9f6d902
pifxfirewall# |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Nov 11, 2005 5:21 pm Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
I did everything you told and it's still not working.
The following is the PIX Firewall Configuration: Hope to get some more
help on this.
pixfirewall# show config
: Saved
: Written by enable_15 at 22:22:54.158 UTC Thu Nov 10 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OoKFED4gphfUO6Sf encrypted
passwd OoKFED4gphfUO6Sf encrypted
hostname pixfirewall
domain-name XXXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment size 2000
sysopt connection tcpmss 0
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.209.203.88 10.209.203.5
dhcpd wins 10.209.203.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXX.com
dhcpd auto_config outside
dhcpd enable inside
vpnclient server XXX.XXX.XXX.X
vpnclient mode client-mode
vpnclient vpngroup XXXXX password ********
vpnclient username fw password ********
vpnclient management tunnel 10.209.203.0 255.255.255.0 10.209.206.0
255.255.255.
0 10.209.212.0 255.255.255.0
vpnclient enable
terminal width 80
Cryptochecksum:ecca093d75796c47760fdbe4d9f6d902
pifxfirewall# |
|
| Back to top |
|
|
Mark Murphy
Guest
|
| Posted:
Sat Nov 19, 2005 7:53 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
I had a PIX firewall and windows 2000 as a DNS server and all worked well. I
upgraded to windows 2003 and DNS started to wack out on me. I found that
windows 2003 as a new DNS seting by default that supports EDNS what this
means is that windows 2003 if reqested will try to send DNS answers back
with packets larger than the default 512. As you see PIX defaults to 512 for
there FIXUP. I tryed to incress the Fixup as per the Cisco support doc says
but it still was flaky. I eventaly turned off EDNS support from 2003 with a
Reg setting and never again had DNS problems. Maybe you should look to the
following doco for help in setting this to see if it helps.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4d90d400-dc49-4772-a679-917c80096a29.mspx
Good luck
<wizonline@gmail.com> wrote in message
news:1131722204.852419.306380@f14g2000cwb.googlegroups.com...
| Quote: | I did everything you told and it's still not working.
The following is the PIX Firewall Configuration: Hope to get some more
help on this.
pixfirewall# show config
: Saved
: Written by enable_15 at 22:22:54.158 UTC Thu Nov 10 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OoKFED4gphfUO6Sf encrypted
passwd OoKFED4gphfUO6Sf encrypted
hostname pixfirewall
domain-name XXXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment size 2000
sysopt connection tcpmss 0
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.209.203.88 10.209.203.5
dhcpd wins 10.209.203.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXX.com
dhcpd auto_config outside
dhcpd enable inside
vpnclient server XXX.XXX.XXX.X
vpnclient mode client-mode
vpnclient vpngroup XXXXX password ********
vpnclient username fw password ********
vpnclient management tunnel 10.209.203.0 255.255.255.0 10.209.206.0
255.255.255.
0 10.209.212.0 255.255.255.0
vpnclient enable
terminal width 80
Cryptochecksum:ecca093d75796c47760fdbe4d9f6d902
pifxfirewall#
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Sat Dec 03, 2005 1:55 am Post subject:
Re: PIX 501 firewall - DNS problem |
|
|
Thanks to Mark and all who helped me on this issue. It is working fine
now. I took the cue from mark postings and made some research on it. I
didn't feel comfortable tweaking DNS Server instead I disabled the
FIXUP DNS and it is working smoothly.
I hope my posting will help others who are facing the same issues.
Thanks again. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in