Announcement

Collapse
No announcement yet.

PIX DNS Problem with HH Devices Only

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX DNS Problem with HH Devices Only

    I have four depot sites that communicate with our HQ using a 501 PIX at each site and a 506e at HQ. We do not have any DNS problems with the PCs at these locations. We are running DHCP using a Motorola WS2000 at each site. The problem is with the Symbol handhelds running Windows CE. They Tcom with a server at HQ. They work fine with the IP address of the server in the tcom settings. When we try to use a DNS setting in them they cannot resolve the name.
    All of our other sites communicate over a frame relay network using the same WS2000, handhelds, and settings. Their HHs do not have problems tcomming using DNS. The only difference between the sites is these use a PIX.

    I have tried removing the fixup protocol dns maximum-length 512 command from the PIX configs and they still cannot resolve the DNS name. I have spoken with Symbol and asked if they do anything special with DNS requests and they said no. Any ideas?

  • #2
    Re: PIX DNS Problem with HH Devices Only

    Anything showing in the logs for the pix?
    Anything special in the config? I assume it is a VPN between the two site?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: PIX DNS Problem with HH Devices Only

      In the logs I can see it building the connection, receiving 60 bytes than tearing down the connection. Yes this is a VPN between two sites. The DNS servers are at the HQ. Windows XP based PCs at the locations resolve DNS fine.

      302015: Built outbound UDP connection 86 for outside:192.168.110.97/53 (192.168.
      110.97/53) to inside:192.168.120.127/56562 (192.168.120.127/56562)
      302016: Teardown UDP connection 86 for outside:192.168.110.97/53 to inside:192.1
      68.120.127/56562 duration 0:00:01 bytes 60

      : Saved

      :

      PIX Version 6.3(3)

      interface ethernet0 auto

      interface ethernet1 100full

      nameif ethernet0 outside security0

      nameif ethernet1 inside security100

      enable password 3GxmXFZiBirHbzVQ encrypted

      passwd

      hostname claremont

      fixup protocol dns maximum-length 512

      fixup protocol ftp 21

      fixup protocol h323 h225 1720

      fixup protocol h323 ras 1718-1719

      fixup protocol http 80

      fixup protocol rsh 514

      fixup protocol rtsp 554

      fixup protocol sip 5060

      fixup protocol sip udp 5060

      fixup protocol skinny 2000

      fixup protocol smtp 25

      fixup protocol sqlnet 1521

      fixup protocol tftp 69

      names

      access-list 5 permit icmp any any

      access-list 101 permit ip 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0

      access-list 101 permit icmp 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0

      access-list 101 permit ip 192.168.120.0 255.255.255.0 10.0.40.0 255.255.255.0

      access-list 101 permit icmp 192.168.120.0 255.255.255.0 10.0.40.0 255.255.255.0

      access-list 101 permit ip 192.168.120.0 255.255.255.0 10.0.80.0 255.255.255.0

      access-list 101 permit icmp 192.168.120.0 255.255.255.0 10.0.80.0 255.255.255.0

      access-list 101 permit ip 192.168.120.0 255.255.255.0 10.52.80.0 255.255.255.0

      access-list 101 permit icmp 192.168.120.0 255.255.255.0 10.52.80.0 255.255.255.0

      access-list 100 permit ip 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0

      access-list 100 permit icmp 192.168.120.0 255.255.255.0 192.168.110.0 255.255.255.0

      access-list 100 permit ip 192.168.120.0 255.255.255.0 10.0.40.0 255.255.255.0

      access-list 100 permit icmp 192.168.120.0 255.255.255.0 10.0.80.0 255.255.255.0

      access-list 100 permit icmp 192.168.120.0 255.255.255.0 10.0.40.0 255.255.255.0

      access-list 100 permit ip 192.168.120.0 255.255.255.0 10.0.80.0 255.255.255.0

      access-list 100 permit ip 192.168.120.0 255.255.255.0 10.52.80.0 255.255.255.0

      access-list 100 permit icmp 192.168.120.0 255.255.255.0 10.52.80.0 255.255.255.0

      pager lines 24

      logging on

      logging buffered debugging

      mtu outside 1500

      mtu inside 1500

      ip address outside X.X.X.X 255.255.255.0

      ip address inside 192.168.120.1 255.255.255.0

      ip audit info action alarm

      ip audit attack action alarm

      pdm logging informational 100

      pdm history enable

      arp timeout 14400

      global (outside) 1 interface

      nat (inside) 0 access-list 100

      nat (inside) 1 192.168.120.0 255.255.255.0 0 0

      access-group 5 in interface outside

      route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

      timeout xlate 0:30:00

      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

      timeout uauth 0:05:00 absolute

      aaa-server TACACS+ protocol tacacs+

      aaa-server RADIUS protocol radius

      aaa-server LOCAL protocol local

      http server enable

      http 192.168.1.0 255.255.255.0 inside

      no snmp-server location

      no snmp-server contact

      snmp-server community public

      no snmp-server enable traps

      floodguard enable

      sysopt connection permit-ipsec

      crypto ipsec transform-set PASSWORD esp-3des esp-sha-hmac

      crypto map cisco 1 ipsec-isakmp

      crypto map cisco 1 match address 101

      crypto map cisco 1 set peer X.X.X.X

      crypto map cisco 1 set transform-set password

      crypto map cisco interface outside

      isakmp enable outside

      isakmp key ******** address X.X.X.X netmask 255.255.255.255

      isakmp identity address

      isakmp policy 1 authentication pre-share

      isakmp policy 1 encryption 3des

      isakmp policy 1 hash sha

      isakmp policy 1 group 2

      isakmp policy 1 lifetime 86400

      telnet 192.168.120.2 255.255.255.255 inside

      telnet timeout 5

      ssh timeout 5

      console timeout 0

      terminal width 80

      Cryptochecksum:25c7a4b9df47d4ca24bee43ce72d55c1

      : end

      Comment


      • #4
        Re: PIX DNS Problem with HH Devices Only

        Did some DNS debugging from the Windows Server. The HHs are noit members of the domain. When they would query DNS they used only the server name, such as server1. The DNS server would not recognize the server name because it was not a FQDN. It would show as a fomrat error when debugging from the DNS server. If I added the full name of the server to the handheld server1.domain.com. The DNS server would resolve the name and the HH would work. To get around this problem, I added the domain name to the DHCP scope on the WS2000. Everything is working now.

        Comment


        • #5
          Re: PIX DNS Problem with HH Devices Only

          Good find, well done! (not meant to be sarcastic).

          Thanks very much for posting back your findings, I'm sure it will help others too.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: PIX DNS Problem with HH Devices Only

            Nice catch. Another way around this is to configure the DNS suffix in the PIX, I've had similar problems in the past with multifunction printers unable to resolve the mail server name when doing a network scan.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment

            Working...
            X