PIX 501 firewall - DNS problem

Walter, Thanks for your prompt response.

We use Windows 2003 server in main office. We only use DNS server not WINS Server. What amazes me about this problem is that this PIX was working well and all of the sudden one day it's not working.

We have many other users using VPN Clients and it works fine. So I believe it's not the main office DNS or network problem. I am assuming there is something wrong with teh remote PIX firewall.

Any more help???

When the clients are connected remotely, they will need to have your internal DNS number, in order to resolve internal names. So, this would have to appear in the client setup. If the client is resolving DNS with the ISP-provided DNS, it will not work for your internal machines.

How you implement this varies with the software package, but that's the source of your issue. It's not on the concentrator, it's on the client. (or whatever configuration the concentrator pushes to the client if that's how your system works).

-Russ.

In article , wrote: :I am new to PIX so you all have to bear with me.

For future reference: most PIX discussion takes place in comp.dcom.sys.cisco

:I am having problem with remote office which has few workstations with :no server. Remote office which uses PIX 501 firewall can't seem to :resolve computer names. Internet works fine and it also can ping the :main office computers with the IP address. But I am not able to user :\\\\servername\\sharename and can't ping computer name. For temporarily :I made those workstations to use HOST file and it is working but I want :them to use DNS.

There are a few different possibilities depending upon the location of the DNS servers and the traffic flows you have defined, and the configuration of the PCs.

Generally speaking, remote \\\\servername\\sharename problems are best resolved by installing a WINS server and configuring the clients to know about it.

Russ,

Thanks for the response. Remote clients gets the DNS IP from the PIX Firewall, where i have given the main office DNS Server IP. As i said this setup was working fine and suddenly it stopped working. I can still ping the main office machines IP but not with the computername.

Users who connect through the VPN Clients have the same configuration and have no problem. Anything else I need to check?

Thanks again

You should start by verifying from the client via nslookup if they are contacting and recieving replies from the correct DNS server then.

If it's down to particular machines, check local firewalls for rules concerening TCP/UDP 53 or some sort of IPS features related do DNS. Try stripping one of the troubled machines of it's AV, antispyware, and personal firewall products temporarily to see if there is any difference.

-Russ.

I did everything you told and it's still not working. The following is the PIX Firewall Configuration: Hope to get some more help on this.

pixfirewall# show config : Saved : Written by enable_15 at 22:22:54.158 UTC Thu Nov 10 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OoKFED4gphfUO6Sf encrypted passwd OoKFED4gphfUO6Sf encrypted hostname mark-pixfirewall domain-name camdenassetmanagement.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 0.0.0.0 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable fragment size 2000 sysopt connection tcpmss 0 telnet 0.0.0.0 255.255.255.255 outside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd dns 10.209.203.88 10.209.203.5 dhcpd wins 10.209.203.19 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain camdenassetmanagement.com dhcpd auto_config outside dhcpd enable inside vpnclient server XXX.XXX.XXX.X vpnclient mode client-mode vpnclient vpngroup camden password ******** vpnclient username mark-fw password ******** vpnclient management tunnel 10.209.203.0 255.255.255.0 10.209.206.0 255.255.255. 0 10.209.212.0 255.255.255.0 vpnclient enable terminal width 80 Cryptochecksum:ecca093d75796c47760fdbe4d9f6d902 pifxfirewall#

I did everything you told and it's still not working. The following is the PIX Firewall Configuration: Hope to get some more

help on this.

pixfirewall# show config : Saved : Written by enable_15 at 22:22:54.158 UTC Thu Nov 10 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OoKFED4gphfUO6Sf encrypted passwd OoKFED4gphfUO6Sf encrypted hostname pixfirewall domain-name XXXXX.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 0.0.0.0 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable fragment size 2000 sysopt connection tcpmss 0 telnet 0.0.0.0 255.255.255.255 outside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd dns 10.209.203.88 10.209.203.5 dhcpd wins 10.209.203.19 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain XXXXX.com dhcpd auto_config outside dhcpd enable inside vpnclient server XXX.XXX.XXX.X vpnclient mode client-mode vpnclient vpngroup XXXXX password ******** vpnclient username fw password ******** vpnclient management tunnel 10.209.203.0 255.255.255.0 10.209.206.0 255.255.255. 0 10.209.212.0 255.255.255.0 vpnclient enable terminal width 80 Cryptochecksum:ecca093d75796c47760fdbe4d9f6d902 pifxfirewall#

I had a PIX firewall and windows 2000 as a DNS server and all worked well. I upgraded to windows 2003 and DNS started to wack out on me. I found that windows 2003 as a new DNS seting by default that supports EDNS what this means is that windows 2003 if reqested will try to send DNS answers back with packets larger than the default 512. As you see PIX defaults to 512 for there FIXUP. I tryed to incress the Fixup as per the Cisco support doc says but it still was flaky. I eventaly turned off EDNS support from 2003 with a Reg setting and never again had DNS problems. Maybe you should look to the following doco for help in setting this to see if it helps.

Thanks to Mark and all who helped me on this issue. It is working fine now. I took the cue from mark postings and made some research on it. I didn't feel comfortable tweaking DNS Server instead I disabled the FIXUP DNS and it is working smoothly.

I hope my posting will help others who are facing the same issues.

Thanks again.