In article , snipped-for-privacy@gmail.com wrote: :I am not a real Cisco guy and the person I use says that what I want to :do is not possible.
Some of your wording is a bit ambiguous; under one interpretation they are wrong, and under another they are correct.
:All the servers have static nats from the outside to the inside over :specific ports.
:Host1.contoso.com 66.121.13.151 nat => 192.168.1.1 port 80, 443, 3389 :etc.
:My DNS server is inside the firewall host1.contoso.com
:When a user attempts to connect to Host1.contoso.com from the outside :world they get an ip address of 66.121.13.151 and can connect to the :server/service
:When a user from inside the firewall attempts to :http:\\\\host1.contoso.com they get the ip address of 66.121.13.151 and :cannot connect to the host.
:I want to be able to have users connect to host1.contoso.com from :inside or outside the Firewall using the same DNS sever or the same IP :address 66.121.13.151.
The ambiguity is in that sentance. If you mean by it, "I want people to connect either way, and I only want to use one DNS server, but I don't care exactly how it gets arranged" then it can be done. If, though, you mean, "I want people to connect either way, andI only want to use one DNS server, and it is important that people on the inside be able to connect using the outside IP addresses", then you cannot do it without additional equipment.
If you don't really care about the IPs as long as the hostnames get you to the right place, then the way to work it is this:
1) To each 'static' line, add the keyword 'dns' 2) Now, edit your DNS server so that it stores the
*internal* IP addresses, not the -external- IP addresses.
Once those two steps are done and the DNS server process has been restarted, connecting by hostname will work for both sides.
The internal users will connect directly to your internal DNS server and will get the internal IP addresses returned to them, so they will be able to connect directly without touching the PIX.
The external users will query your DNS server, and that query will go through the PIX, and when the reply comes back from your internal server, the PIX will notice the 'dns' keyword on the 'static' commands and the PIX will rewrite the DNS reply as it goes out so that the -external- IPs go out in place of the internal IPs.
Note: I haven't tried it, so I don't know if this works if you are using just port-by-port static's: it works if you static the entire IP (don't worry, the PIX will only allow new connections in if they are permitted by your outside ACL, so static'ing the entire IP is nearly as secure as going port-by-port.)