I inherited a LAN with a not-very-well documented DMZ. My DNS server is 172.16.1.159/16, and my DMZ client is 172.30.1.3. The DNS server's default gateway is the PIX's "inside" port (172.16.1.181), and the DMZ client's default gateway is the PIX's "dmz" port (172.30.1.1). The PIX is a 525 runnign PIX OS 6.3(5).
In order for the DMZ client to be able to access HTTP and DNS ports on the DNS server, I have the following ACL rules in place:
access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq www access-list dmzin permit tcp host 172.30.1.3 host 172.30.1.159 eq domain access-list dmzin permit udp host 172.30.1.3 host 172.30.1.159 eq domain static (inside,dmz) tcp 172.30.1.159 www 172.16.1.159 www netmask
255.255.255.255 0 0 static (inside,dmz) tcp 172.30.1.159 domain 172.16.1.159 domain netmask 255.255.255.255 0 0 static (inside,dmz) udp 172.30.1.159 domain 172.16.1.159 domain netmask 255.255.255.255 0 0I have both UDP & TCP permitted on port 53, so DNS requests from the DMZ to Inside should work. But they don't seem to! HTTP requests from the DMZ ot Inside function correctly. Interestingly, I can telnet to the DNS port on the server from the DMZ, I just can't actually make requests. Like so:
$ telnet 172.30.1.159 53 Trying 172.30.1.159... Connected to 172.30.1.159. Escape character is '^]'. AS quit Connection to 172.30.1.159 closed.
$ nslookup
*** Can't find server name for address 172.30.1.159: Non-existent host/ domain *** Default servers are not availableAm I missing something obvious here? The PIX has fixup enabled for both HTTP and DNS. I've tried enabling the "listen-on" option on the BIND server (v8), but to no avail.
Thanks,
Chris