Pix 501 firewall-Protect DNS server

Hi,

I have configured a Pix 501 to protect a DNS server using the following config. The only function which is carried out by the server is DNS, so as much as possible I want to lock the server down, both outgoing and inbound so that only that function is allowed.

Any comments on this config?


----------------------------------------------------------

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 5gL encrypted

passwd 15f encrypted

hostname myname

domain-name mydomain.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521



fixup protocol tftp 69

names

access-list alist permit tcp any host 207.1.1.7 eq 7390

access-list alist permit udp any host 207.1.1.7 eq domain

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 207.1.1.5 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.7 domain 192.168.1.4 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) udp 207.1.1.9 domain 192.168.1.6 domain netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.7 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 207.1.1.9 192.168.1.6 netmask 255.255.255.255 0 0

access-group alist in interface outside

route outside 0.0.0.0 0.0.0.0 205.244.149.110 1



timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600



dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:eee1111ggggggdd

: end

[OK]


-------------------------------------------------------------

Sorry to have to ask, but what kinds of comments are you looking for? Have you been having a problem with the security?

I don't speak Cisco, so I can't comment on the specifics. However, if all you need is DNS resolution, then all you need is to pass UDP (and possibly TCP, depending on your implementation) port 53 through the firewall.

I speak Cisco, and if that's your purpose, then you probably need to reconsider your config.

By default, traffic flows in to out, but not out to in (unless expressly allowed). So, without any ACL applied, all traffic outbound is allowed and all inbound is NOT allowed.

You have applied an ACL to the outside interface, but not the inside interface. You'll need to make one (on simple Cisco 501 PIXes, I like to call them "inbound-ACL" and "outbound-ACL").

As far as DNS traffic goes....

--UDP 53 is DNS queries.
--TCP 53 is AXFR transfers (for like primary, secondary DNS stuff)

Not to be rude, but if you're asking this type of forum this type of question, you're probably needing the first option.

Hope this helps. If not, please let us know the specific question you're having a problem with...

Hello,

Can you post an example?