Below are two (edited) runing pix configs - a main and a brach office. I've been asked to create a new secondary DNS server for the brach on it's local lan. The primary DNS server is sitting on a Windows 2003 server on the main office's :LAN. I feel this is mostly politics and not not driven by bandwidth issues - but in any event, does anyone see likely probelms here ? Is there anything about these PIX configs that sould get in the way of DNS records being moved from one DNS server to another ?
//main office interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 1024 no fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list 101 permit ip 10.0.1.0 255.255.255.0 192.168.111.0
255.255.255.0side permit tcp amtu outside 1500 access-list acl-outside permit icmp any any mtu DMZ 1500nd h access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq smtp255.255.240ttp Configure HTTP server access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq pop3p address inside 10.0.1.1 255.255.255.0onfigure access for ICMP tra access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq www ip address DMZ 192.168.10.1 255.255.255. access-list acl-outside permit tcp any host xxx.xxx.xxx.212 eq ftp-dataace Set network i access-list acl-outside permit tcp any host xxx.xxx.xxx.212 eq ftp ip local pool pool 192.168.111.1-192.168.111.250 access-list acl-outside permit tcp any host xxx.xxx.1 Clear or displ static (inside,outside) xxx.xxx.xxx.211 10.0.1.99 netmask 255.255.255.255 0
55.0 pager lines 24 mtu outside 1500 mtu inside 1500st Display mtu DMZ 1500 local host ip address outside xxx.xxx.xxx.210 255.255.255.240 static (inside,outside) xxx.xxx.xxx.213 10.0 ip address inside 10.0.1.1 255.255.255.0 ip address DMZ 192.168.10.1 255.255.255.0 Enable logging facility ip audit info action alarm static (inside,outside) 2 ip audit attack action alarmask 255.255.255.255 0 0 ip local pool pool 192.168.111.1-192.168.111. mapglobal (DMZ) 1 192.168.10.254:00rotocol fixu nat (inside) 0 access-list 101th 0:05:00 absoluteMPUTER SYST nat (inside) 1 0.0.0.0 0.0.0.0 0 0 aaa-server TACACS+ pr nat (DMZ) 1 192.168.10.0 255.255.255.0 0 0 static (inside,outside) xxx.xxx.xxx.211 10.0.1.99 netmask 255.255.255.255 0
0POSES. static (inside,outside) xxx.xxx.xxx.213 10.0.1.213 netmask 255.255.255.255 0 0 aaa-server RADIUS protocol radius** static (inside,outside) xxx.xxx.xxx.212 10.0.1.96 netmask 255.255.255.255 0 0Pass
crypto ipsec t timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00ssions timeout sip-disconnect 0:02:00 sip-invite 0:03:00-set myset1 esp-aes-256 esp-sha-hmacon State timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+pto dynamic-map dynmap 30 set trans aaa-server TACACS+ max-failed-attempts 3DES 4 - aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radiusmap mymap 10 ipsec-isakmp aaa-server RADIUS max-failed-attemptsap mymap 10 ma http 10.0.1.0 255.255.255.0 inside no snmp-server location.xx.xxx.xxx 1.5 no snmp-server contact crypto map mymap snmp-server community public no snmp-server enable traps address xxx.xxx.xxx.50 netm floodguard enable5 no-xauth sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-sha-hmac isakmp id crypto ipsec transform-set myset1 esp-aes-256 esp-sha-hmac-traversal 20 isakmp policy 10 auth crypto dynamic-map dynmap 30 set transform-set myset1 isakmp po crypto map mymap 10 ipsec-isakmp********************** crypto map mymap 10 match address 100 isakmp policy 10 has isakmp enable outside Type h isakmp key ******** address xxx.xx.xxx.50 netmask 255.255.255.255 no-xauthup vpn3000 split- console timeout 0-v]