DNS query to internal DNS server from static NAT host

I had my workstation setup on a static NAT address with the following ...

static (inside,outside) 1.2.3.4 10.16.61.247 netmask 255.255.255.255

and the following ACL applied to the outside interface ...

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq

3389

under PIX 7.0 software - with this in place my workstation can't do a DNS lookup using an internal DNS server.

What do I need to make this work? I have a very similar setup in PIX 6.3 working.

TIA

Reply to
none
Loading thread data ...

You weren't very clear here as to whether you workstation and DNS server are on the Inside or Outside. Also note that although there is an explicit PERMIT from a higher security interface (Inside) to lower security (Outside), if you have any ACL applied inbound on the Inside then that explicit PERMIT is gone. You have to allow the DNS (UDP 53) in your ACL.

formatting link
Steve Griffin
formatting link
(Bluetooth Wireless Console Cable)

Reply to
info

DNS and workstation are both inside - and a "permit ip any any" ACL is applied in to the inside interface.

Reply to
none

Found the fix ...

Needed this instead

static (inside,outside) tcp 1.2.3.4 3389 10.16.61.247 3389 netmask

255.255.255.255

Thanks!

Reply to
none

this cannot be the fix. what you are doing here is port redirection. earlier you were mapping a one to one ip. this cannot be the fix, you are missing something here.

Reply to
rave

Thanks for making me think harder on why it worked ...

Yes it resolved my problem but I actually originally misdiagnosed the problem, as it looked like a DNS issue because that's the error I got back from my browser (stupid Micro$oft browser!) - actually the DNS lookup was working - it was the return of the web page to my desktop that was not being allowed to come back because the only inbound port open was

3389.

PAT is actually what I wanted to do - I'm not sure how I got the original statement - I must have been half asleep while doing the configuration yesterday.

Reply to
none

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.