Name resolution from inside DMZ

Maybe posting the config will help. How is the web server configured for DNS resolution? Internal DNS or ISP DNS?

Chris.

I don't know enough about the OS on the web server...it is running IBM AIX but I have a test computer working in the DMZ and until I am able to resolve names with that one I don't want to change settings on the web server. Currently there are no DNS queries traversing the firewall...all the internal clients are on the inside interface and they query the local internal DNS servers which is what I want computers in the DMZ to do. Here is my configuration minus the unimportant stuff and Thanks for the help...

PIX Version 6.3(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50

access-list acl_out permit tcp any host eq www access-list acl_out permit tcp any host eq https access-list acl_out permit tcp any host eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any interface outside access-list acl_out permit tcp any eq pop3 host eq pop3 access-list acl_out permit tcp any eq smtp host eq smtp access-list acl_out permit tcp any eq ftp host eq ftp access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100

12109 access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq https access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq http access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0

access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0

ip address outside 255.255.255.224 ip address inside 1.141.1.99 255.0.0.0 ip address DMZ1 10.0.0.1 255.255.255.0

global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 vpn_mobile 255.0.0.0 0 0 nat (DMZ1) 1 0.0.0.0 0.0.0.0 static (DMZ1,outside) tcp www 10.0.0.3 www netmask

255.255.255.255 0 0 static (DMZ1,outside) tcp https 10.0.0.3 https netmask 255.255.255.255 0 0 static (inside,outside) tcp smtp 1.1.1.1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 email 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https email https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp email pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface nntp email nntp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www email www netmask 255.255.255.255 0 0 static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0

access-group acl_out in interface outside access-group dmz_out in interface DMZ1 route outside 0.0.0.0 0.0.0.0 1

access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100

12109 access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq https access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 eq http

So you are not allowing DNS out. Maybe that's the problem then? Note that if you want to allow DNS to your interal DNS server then you will have to set up NAT for that (dmz to inside) as well as adding the rule to the DMZ acl. If the web server is configured with external DNS servers then you will just have to add tcp/udp 53 to the rules.

Chris.