Inside/dmz accessing public dns of dmz

[Hagfish]

Hello all, I have a question. I have two mail servers (separate servers) on the dmz network of my pix (30.30.30.x). When one tries to send mail to other, it's getting rejected because the mail server is trying to access the other by it's translated public address 70.x.x.x. I did a little research on this and tried adding "dns" to my static translation lines but unfortunately this did not appear to do anything. The domain for the mailservers is still pointing to the public address. Here are the lines I added/changed. Did I miss something? TIA

static (dmz,outside) 70.x.x.100 mail1 dns netmask 255.255.255.255 0 0
static (dmz,outside) 70.x.x.101 mail2 dns netmask 255.255.255.255 0 0

 

[Hagfish]

Ok, turned on icmp and here are the results of my tracert to the co-lo dns server..

1 <10 ms <10 ms <10 ms 34.x-x-6.reverse.mycolo.com [70.x.x.34]
2 <10 ms <10 ms <10 ms car1-1-v1.dllstx2.mycolo.com [12.x.x.11]
3 <10 ms <10 ms <10 ms ns1.mycolo.com [216.x.x.30]

and to recap, here are my translations with the "dns" switch added

static (dmz,outside) 70.x.x.100 mail1 dns netmask 255.255.255.255 0 0
static (dmz,outside) 70.x.x.101 mail2 dns netmask 255.255.255.255 0 0

When I ping the dns name of my mail server it's still resolving to the public ip instead of it's 30.30.30.x address.. what else can I try?

 

[themut]

Ok I pressume 70.x.x.34 is your default gateway. The packets flow from your mail server to 70.x.x.34 to 12.x.x.11 and from there to the DNS server. Do these packets pass through the PIX on its way towards the DNS server? If so, is this traffic part of a VPN tunnel?

 

[Hagfish]

Well.. what's strange is the default gateway configured on that dmz machine is 30.30.30.1. shouldn't I see packets going through that first before they go to 70.x.x.34?

 

[themut]

Sorry I was solving a problem at work when I replied to your inquiry. If the PIX is your default gateway then it doesn't appear on your trace the next hop will be the first IP address. If a packet goes from the mail server to 70.x.x.34, does it traverses the PIX? Is 70.x.x.34 the default gateway configured on the PIX?

 

[themut]

Is 30.30.30.1 an interface on the PIX?

 

[Hagfish]

Yeah, it's the IP of the dmz interface

 

[themut]

How about 70.x.x.34? Is that the default gateway configured on the PIX? If not, is it a device conected to another interface on the PIX?

 

[Hagfish]

The gateway to the outside configured on the pix is 70.x.x.33 not 70.x.x.34. but 70.x.x.34 is what shows up as the first step of that traceroute above.. odd

 

[Hagfish]

Well.. I fixed the problem, but not necessarily how I wanted. I went into both of the dmz mail servers and added a line in each of their hosts file to point to each other and bypass dns.. This works for the time being and allows them to send mail to each other, but I would still really like to know why adding the "dns" to my translations didn't solve the issue. I'd still be up the creek if I needed all of my inside/dmz machines to resolve the domain names to the internal addresses and I'd have to go edit hosts files on way too many machines..