Home page logo

basics logo Security Basics mailing list archives

Re: Can't Resolve from behind firewall
From: Gene <gyoo () attbi com>
Date: Fri, 22 Nov 2002 22:57:12 -0800

I have a similar experience managing multiple 515's, and when my network engineer wanted to look at the PDM, my first impression, well, I really didn't have first impression. I think it's a nice add-on, but one night when we were working late and checking our infrastructure, we decided to add some rules using PDM, needless to say, since my engineer and I like to use CLI, we got confused between the ingress/egress and started seeing the traffic we didn't want plus some other variants... start from the basic before using point-click, you learn more from the fundamentals.

BTW - We did fix the hole.

John Canty wrote:
Rule number 1 about cisco devices.

DO NOT USE GUI's provided by them (or anyone else for that matter) to
configure their devices. The CLI mode will be harder, yes, once you
realize how things are done you'll wish you started out that way.


-----Original Message-----
From: YashPal Singh [mailto:ysingh () quark co in] Sent: Saturday, October 19, 2002 1:30 AM
To: Ahmed.Shazly; security-basics () securityfocus com
Subject: RE: Can't Resolve from behind firewall

I think you have not allowed DNS incoming traffic. To debug your problem
allow incoming udp packets from any to your ipaddress. I guess this is
only problem bcoz DNS reply from ur ISP get blocked by your Firewall.
Moreover to check that this problem is just bcoz of firewall....put
all rule at the top and then check if you are able to get DNS replies.


-----Original Message-----
From: Ahmed.Shazly [mailto:ahmed.shazly () hotpop com]
Sent: Thursday, October 17, 2002 5:45 AM
To: security-basics () securityfocus com
Subject: Can't Resolve from behind firewall

Hi everyone,
  I Just got a PIX 501 for my company and since they have strict
policies i
do have to strict usage to port 80, now with the PDM i try permiting
outgoing traffic from the my local net on port 80 to any outside port
permit outgoing traffic on port 53 for the DNS to any port since we use
DNS server of our ISP. the only thing that happens is that i still can't
resolve websites and they only work if i use their IP addresses. i do
PAT and i'm not sure wheather it has anything to do with whats going on


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]