DNS traffic blocked after PAT - PIX 515

I have PIX 515 with 3 named NIC (internal, external, dmz)

I have 2 servers (Exchange and Windows 2000 with SMTP) in the demilitarized zone.

I currently have a static command pointing to doamin for exchange Server IP address in the DMZ.

I wanted to PAT on the IP address of the e-mail domain so that the configuration will look like as follows.

The IP field will be used for the global IP

all pop3 for global ip traffic will go to Exchange

all www for the global IP traffic will go to Exchange

all smtp for global ip traffic will go to the Windows 2000-based SMTP relay (SMTP relay is configured to send the e-mail received in exchange Server)

I hosted DNS udp and tcp traffic to the servers.

before pat, the server can use DNS to resolve IP domain e-mail and send mail to the Internet.

As soon as I PAT the Internet e-mail delivery stops.

When I did an NSLOOKUP command returns an error indicating that the DNS server cannot be resloved.

The servere DNS used by these 2 servers are servers DNS of ISP.

Is there any concern when you PAT.

Thank you

Hello

I found the problem:

for now, your dmz servers can go to the internet with pop3, smtp, and www. Only for these protocols is a (static) translation to provide in the config file.

You will need to will provide you a translation for other protocols (for example, dns) also. This can be accomplished with one of the following two things:

create a nat - pair overall for the DMZ for outdoor

NAT (dmz) 1 0.0.0.0 0.0.0.0

Global (outside) 1 200.100.100.168 (already exists)

create a static translation for each of the other protocols (next to pop3, smtp, www), you want to pass from the dmz to the internet (you already did that for www, pop3 and smtp).

Kind regards

Tom

Tags: Cisco Security

Similar Questions

  • PIX 515 no traffic on the new IP address don't block

    We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

    The problem:
    We can not all traffic to the pix on the new 213.x.x.x/28 range.
    -If we try to ping 213.x.x.61, we get the lifetime exceeded.
    -ISP Gets the same thing of their router.
    -ISP tries ssh and gets no route to host.

    The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

    The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

    Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

    Excerpt from config:
    7.0 (7) independent running Pix 515
    outside 92.x.x.146 255.255.255.240
    inside 192.168.101.1 255.255.255.0
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
    Access-group acl_out in interface outside
    acl_out list extended access permit tcp any host 213.x.x.x eq www
    acl_out list extended access permit tcp any host 213.x.x.x eq ssh
    static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
    ICMP allow any inaccessible State

    192.168.101.99 is a test with http and ssh linux server

    Any help much appreciated.

    PM

    dsc_tech_1 wrote:
    

    I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0
    

    
    ISP says
    
    ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32

    

    Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
    

    Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.

    If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

    They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

    Jon

  • How to block applications from Instant Messaging (socks Protocol) on my pix 515

    I would like to block all traffic application instant messaging on my pix 515. Some of them use the socks Protocol. Can someone help me to block these applications or SOCKS protocol on my pix 515?

    Concerning

    It was just answered by a thread below.

    MSN_Messenger_tcp tcp service object-group

    Description MSN Messenger tries to use these ports

    port-object eq www

    port-object eq 1863

    object-port 7001 eq

    the MSN_Messenger_hosts object-group network

    host Description MSN Messenger feeds

    object-network 65.54.195.0 255.255.255.0

    object-network 65.54.225.0 255.255.255.0

    network-object 65.54.226.0 255.255.254.0

    network-object 65.54.228.0 255.255.254.0

    host of the object-Network 65.54.240.61

    host of the object-Network 65.54.240.62

    network-object 207.46.104.0 255.255.252.0

    object-network 207.46.108.0 255.255.255.0

    object-network 207.68.171.0 255.255.255.0

    access list acl-inside tcp refuse any object-group MSN_Messenger_hosts-group of objects MSN_Messenger_tcp

    This applies to an acl on your inside interface.

    Patrick

  • Cisco Pix 515 VPN problems

    Hi all

    Here's my problem, I have 2 PIX 515 firewall...

    I'm trying to implement a VPN site-to site between 2 of our websites...

    Two of these firewalls currently run another site to site VPN so I know who works...

    I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

    Protected networks are:

    172.16.48.0/24 and 172.16.4.0/22

    If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

    2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

    It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

    Don't know what that might be, the other VPN are working properly.

    Any help would be great...

    I enclose a copy of one of the configs...

    Let me know if you need another...

    no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

    Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

  • PIX 515 DMZ problem

    Hello

    We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

    What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

    6.3 (3) version PIX

    interface ethernet0 car

    Auto interface ethernet1

    Auto interface ethernet2

    Auto ethernet3 interface

    !

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 dmz1 security50

    nameif ethernet3 dmz2 security40

    !

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    !

    names of

    !

    IP outside X.Y.Z.163 255.255.255.248

    IP address inside 192.168.0.9 255.255.255.0

    dmz1 192.168.10.1 IP address 255.255.255.0

    IP address dmz2 192.168.20.1 255.255.255.0

    !

    fromOut list of access permit icmp any host X.Y.Z.162 source-quench

    fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

    fromOut list of access permit icmp any unreachable host X.Y.Z.162

    fromOut list of access permit icmp any host X.Y.Z.162 time limit

    fromOut list access permit tcp any host X.Y.Z.162 EQ field

    fromOut list access permit tcp any host X.Y.Z.162 eq telnet

    fromOut list access permit tcp any host X.Y.Z.162 eq smtp

    fromOut list access permit tcp any host X.Y.Z.162 eq www

    !

    fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

    fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

    !

    fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

    !

    pager lines 24

    !

    Outside 1500 MTU

    Within 1500 MTU

    dmz1 MTU 1500

    dmz2 MTU 1500

    !

    Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

    Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

    NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

    NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

    NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

    static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

    static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

    !

    Access-group fromOut in interface outside

    Access-group fromDMZ1 in interface dmz1

    Access-group fromDMZ2 in the dmz2 interface

    Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

    Hi jamil,.

    There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

    REDA

  • VPN to pix 515

    Good day to all,

    I'm trying to configure the client VPN to a PIX 515.  Once VPN'ed in, the traffic is going no where, but on THIS subnet. The Vlan that we are trying to achieve is a 10.111.250.x/23.  Once VPN'ed in the allocation of an IP address is 10.111.250.33 - 10.111.250.63. We can VPN in and get VPN IP assigned, but we cannot get anywhere inside VLANs.  I was sure that it could be done in a layer 2.  You can view the assigned addresses VPN arped entries and the inside address Vlan on the Pix.

    Keep in mind, my first thought was to change the VPN address assigned, but we do not want to carry on this Vlan especially because access is very limited.

    Is it possible to make this work?  If I have to redo attributes and policy, I.

    Thank you

    Dwane

    The output shows that the PIX is decrypt packets, but not encryption.

    So there is a good chance that packets are sent within the network but not to return.

    Check the following:

    management-access within the--> this command should allow ping to the IP of the VPN PIX inside (make sure you that if you can TEST this IP address when connected)

    Verify that the default gateway within the network (behind the PIX) is the current inside the property intellectual of the PIX.

    After these tests, post again "sh cry ips its"

    Federico.

  • question static pix 515

    I have installed a pix 515 at home on my broadband for the test connection. I was wondering if it is possible to use the static command to map an internal on the dhcp address assigned by ISP. I have reverse DNS client installation to map the dhcp WAN attributed to a public dns server address.

    Example:

    outside interface0

    Interface1 inside

    IP address outside dhcp setroute

    inside the 172.16.0.1 IP address

    IP route 0.0.0.0 0.0.0.0 dhcp

    Thank you

    Assuming you have something like:

    > nat (inside) 1 0 0

    > global (1 external interface)

    for your outgoing traffic, you can proceed as follows for incoming traffic:

    > static (inside, outside) tcp interface 80 172.16.0.2 80 netmask 255.255.255.255

    It maps all TCP port 80 package intended for the PIX outside interface to the internal server at 172.16.0.2 on port 80. The keyword "interface" means interfaces external IP address. You can add as many of these port mappings as you want. The ports must be the same either, you can map port 80 to port 345 if you wish.

  • ID and PIX 515

    I was told that the PIX 515E firewall is capable of BLOCKING malicious attacks as attack Dinal of Service. I learned again by CA engineers that it not are a NO product out there that is able to block attacks but rather notify the administrator only. I'd like your opinion on whether the PIX firewall can actually BLOCK attack or not. Thanks in advance.

    The PIX has some features to prevent DOS attacks, but he can't block everything. For example, if someone launches an attack smurf or something that uses all of your available bandwidth, then the PIX obviously cannot do anything about it because the damage is already done at the time wherever traffic allows you the PIX.

    For something like a TCP SYN attack on a host inside the PIX, then you can configure the static command to allow only a total number of connections through, and/or a number of half-open connections through the internal host, effectively protecting the Server internal. The PIX will refuse further attempts to connect over this limit.

    The PIX also has a built-in limited to IDS. It can detect signatures of 59 common packages and can be configured to block these if they are considered. Signatures that he seeks only are based a package signatures, wide as a real IDS device can get nothing.

    In short, no one can say yes, "The PIX prevents all attacks back", no box cannot do that, because it depends on what the attack back. If someone is flooding your available circuit bandwidth, you really get your ISP involved to block this traffic BEFORE it happens to you. Yes, host-based DOS attacks, the PIX should be able to block most of them with standard configuration controls.

  • PDM with PIX 515 does not work

    I just upgraded our PIX 515 of 6.1 to 6.2. I also added support FOR and loaded the version 2.1 of the PDM. I am trying to browse the MDP, but I can't. What Miss me?

    Hello

    have you added the following lines to your config file and have you used HTTPS to access the pix (http is not taken in charge, only https)?

    Enable http server

    http A.B.C.D 255.255.255.255 inside

    A.B.C.D is the ip address of the host from which you are trying to reach the pix with the pdm.

    If you're still having problems after the addition of these two lines, you might have a look at this page:

    http://www.Cisco.com/warp/customer/110/pdm_http404.shtml

    Kind regards

    Tom

  • How to open a port and limit the range of addresses that use it on PIX 515?

    I have a Pix 515 v6.3 and a new piece of software that I'm getting soon need aura 5080 open port for incoming & outgoing HTTP traffic. The server will be in my DMZ to 10.0.0.1

    I would like to restrict inbound access to this port so that it can be used in 4 specific IP adderess foreign xxx.xxx.xxx.24 through xxx.xxx.xxx.27 and also, if possible, limit the outbound destination using this port to a single specific foreign IP address xxx.xxx.xxx.30.

    Could you please tell me the best way to do it.

    Thank you in advance for a relative novice to PIX.

    PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

    PIX (config) # access list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

    PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.26 host 5080

    PIX (config) # access list acl-outside permit tcp host MyWWWPublicIP eq xxx.xxx.xxx.27 host 5080

    PIX (config) # access - group acl-outside in interface outside

    PIX (config) # access list acl - dmx permit tcp host 10.0.0.1 xxx.xxx.xxx.30 eq 5080

    PIX (config) # access - group acl - dmz dmz interface

    static (inside, outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

    See also:

    PIX 500 series firewall

    http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration

    Configuration of the PIX Firewall with access to the Mail Server on the DMZ network

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

    sincerely

    Patrick

  • MM, pix 515 and mac filtering

    I have an application called MeetingMaker, located at the back of my pix 515 that is used off site by 5 users. Since accessing this program on the internet, and users can have dynamic addresses, it is possible to filter by mac address somehow to allow access through the firewall to the app? Thank you.

    MAC addresses not browse the limits of layer 3. In others, your MAC address of clients cannot be seen or known once the traffic passes through the default router for that subnet. So the answer to your question is 'no '.

    You can use AAA to handle this. How your clients connect to the server? (port/application)? If its HTTP/S, the Pix can check this name of user and password before allowing access. If it is a part on request/port, you can still use authentication by requiring them to connect to the web server out there first. This will cause the Pix to authenticate by using the challenge of browser, and the Pix can be configured to allow connections to the hosts authentiated.

  • VPN for PIX 515 allowing access to a single host

    I have already setup on my PIX 515 a VPN connection, which allows the user to connect to our network via a cisco VPN client to access network resources.

    I want to configure now is an another VPN connection that external users can use but would only allow access to a host.

    E.g. I would like to VPN in my site but would be allowed to access the 10.1.1.1 on my network.

    How can I do this? What I have to install VPNGROUP another and somehow an access list to allow only traffic to a host of configuration. Can anyone help with the correct syntax for the PIX.

    Thank you

    Scott

    You will now have a bunch of commands "vpngroup" in your PIX, simply go into config mode and add more commands 'vpngroup' but with a different groupname. The VPN client then uses this group name to connect to the PIX.

    Another way to allow only access to a host for this PIX is to split tunnelling on this group, as well as in the tunnel of split ACL set only as a host.

  • PIX 515 6.1 (1) crashes every night

    We have a PIX 515 E Firewall (failover) with a simple configuration to allow web traffic only from inside. PIX with three interfaces ethernet and the DMZ is rarely used for specific needs. A www server is hosted with authentication through aaa for incoming users inside.

    For the last week, PIX crashes end each evening. No traffic doesn't cross the pix and we cannot ping all devices of pix as well. There are a lot of "no buffers" counts seen in all the PIX interfaces. The CPU usage is about 21%.

    Can anyone help to determine if this could be a hardware problem?

    Best regards, Murali

    Hi Murali,

    I'm not aware of any problem with the hardware, but there could be a software bug. I suggest that you open a case with cisco tac.

    or you can upgrade to 6.1.4 which has fix for most of the bugs.

    Thank you

    Syed

  • Web error: traffic blocked due to exceed the quota of session

    I have a problem with access to the internet. I don't know if I am posting this in the category right forum or not.

    Since last week I have been sporadically do the following random error message when going online. It will come when trying to access a Web page, but he seems to have nothing to do with the page itself. He rides on a wide variety of Web pages.

    "Blocked traffic due to exceed quota of session IP shaper. Please contact the system administrator. Your session quota is: 512, more traffic will be blocked. »

    I get this message on both my computer and on the iPad for my husband. Usually, if I refresh the page, the Web page originally, I was trying to go to load. But sometimes this error message will just continue to flow to the top when I try to reload the page.

    I use a MacBook Pro of the retina, OS X El Capitan, 10.11.4, Safari 9.1 version. IPad for my husband is a Mini iPad start (I don't know exactly what we) running latest iOS, I think 9.3.1 and Atomic web browser.

    I tried to do a search online for other people with this same problem and I found a lot of different complaints, but they were all in different languages from around the world. And none of them had real fixes. The only English and even made any sense is here: ause-of-exceed-per-ip-shaper-session http://superuser.com/questions/550362/http-requests-met-with-traffic-blocked-bec. But it doesn't really say how to solve this problem.

    I plan to call my ISP tomorrow morning, but I really don't see how this problem would be on their part I use Dish internet Network satellite. She has a monthly quota of data, but I have access to my use, and is not the problem. Indeed, my fair use reset for the month yesterday, but I still get this message. In addition, the grammar is odd in this error message, and it does not resemble a flat view. Something to suggest in my internet connection. And it is on many devices in my home and disrupts the use of the internet for my and my family.

    Trying to Resti.

    I'd appreciate really any ideas on what it is and how to fix it. Thank you.

    So, I called dish, my ISP, Friday, and no one there had heard of this problem. Their only suggestion was to connect my modem directly to my computer without going through the router and see if I have the problem persists, in order to see if the problem with my AirPort Extreme. Unfortunately, my computer, a MacBook Pro of the retina, lacks an ethernet port.

    I'm at a complete loss what to do about it, it's getting slowly worse and come more often. Does anyone have any suggestions?

  • I have a TouchSmart 300-1007 that performs a hard block after about 30 minutes to be turned.

    I have a TouchSmart 300-1007 that performs a hard block after about 30 minutes to be turned.

    Windows 7 Home Edition, the stock machine, even if it does even if I start in diagnostics (F9 at the start of the BIOS), so I doubt it has nothing to do with the operating system.

    By "hard block", I mean the screen goes black, the wireless keyboard is not flashing blue light on the USB FOB and the power button only turns off although it by hand for 30 seconds. I have to pull the power cord to turn it off.

    It started shortly after the application of the 5.12 version 2A8E update motherboard BIOS published 2011-03-24. Never should have done that; experience shows that I have more problems than improving when updatng BIOS' are.

    No heat problem (air vents are clean as a whistle). I suppose the best thing would be to restore the BIOS but I don't know if it is possible, or how to do it.

    This is my daily workstation and is now effectively a boat anchor / deadline / brick.

    Any ideas?

    Yay for me. My dose of GENIUS has had this problem for THREE DAYS running machine now without any problem whatsoever.

    It it CERTAINLY evil genius of this machine, no doubt.

    Other victims of the Touchsmart series should regroup and get some kind of compensation. I know that I had to buy a new computer to replace this one when it stopped working, and I spent a TON of time to solve the problem (it would be an easy solution to the factory; not so easy at home)

Maybe you are looking for

  • Why the dvd rejects the disks

    I bought the painter 2016 and safeguarding additional installation DVD. When I insert the DVD in my iMac, it tries to read it, but then ejects the disc. The IRHD is new and has no scratches on it. My dvd is need of cleaning, or someone thinks that it

  • OfficeJet 6600 connects to the wifi network

    Hello I bought an Officejet 6600 and effortlessly connected to my wifi network, print and scan for a day. And there are two days that he stopped conntecting to the wifi network. In the meantime, our router turned off and turned back on. That's the on

  • Az Z500 with Win 8.1 Touchpad problem

    Hello I have recently installed Windows 8.1 and I know, many of the Z500 drivers are included in this operating system. The problem is that the multitouch feature does not work, such as scrolling of the page with 2 fingers. Any suggestions?

  • HP Mini 1000: help me! Fatal error... System stopped

    I need help my laptop won't let me in the BIOS, it keeps the overiding until I put the password correct SN is CNU9293J4N

  • Installed New Netgear Wireless Range extender but new network doesn't have internet access.

    I just installed a machine net universal range extender for WiFi and the signal over the Wan is very strong, but when I connect to him he says that have no internet access. What should I change? I post what I'm on the Ext network.but when I try to ac