1. Home
  2. Cisco Systems
  3. Loss of outside dns after static command

Loss of outside dns after static command

First day with my new PIX 501.....

I am trying to create a rule that will simply allow http port 80 to inter my inside network and access a web server (192.168.169.15). To do this i think I need to add the commands:

static (inside,outside) x.x.x.x 192.168.169.15 access-list outside_in permit tcp any x.x.x.x eq 80 access-group outside_in in interface x.x.x.x in

The problem I get is that when I add the first line, (static (inside,outside) x.x.x.x 192.168.169.15) I loose access to the DNS servers that I connect to on the outside. I prove this using the nslookup command on my PC, it works before this command is run, then fails after the command.

Advice?? I am using Pix version 6.3(5), PDM version 3.0(4).

my Config

Result of firewall command: "show running-config"

: Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname myPix domain-name domain.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.169.0 WiredSubnet name 192.168.169.14 esgDB01 access-list inside_access_in permit icmp any any traceroute access-list inside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip WiredSubnet

255.255.255.0 x.x.x.x 255.255.252.0 access-list inside_outbound_nat0_acl permit ip any 192.168.169.160 255.255.255.224 access-list outside_cryptomap_20 permit ip WiredSubnet 255.255.255.0 x.x.x.x 255.255.252.0 pager lines 24 logging on logging timestamp logging console debugging logging trap debugging mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.252.0 ip address inside 192.168.169.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNPool 192.168.169.160-192.168.169.180 pdm location 192.168.169.160 255.255.255.224 outside pdm location esgDB01 255.255.255.255 inside pdm location 192.168.169.15 255.255.255.255 inside pdm location x.x.x.x 255.255.255.255 outside pdm location x.x.x.x 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0 access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:10:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:00:00 absolute uauth 0:10:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host esgDB01 myKeyHere timeout 5 aaa-server LOCAL protocol local http server enable http WiredSubnet 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp

isakmp nat-traversal 20 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool vpdn group PPTP-VPDN-GROUP client configuration dns esgDB01

192.168.169.15 vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn username 604Jamie password ********* vpdn enable outside vpdn enable inside dhcpd auto_config outside dhcprelay server esgDB01 inside dhcprelay server 192.168.169.15 inside terminal width 80
Reply to
Jamie Mcc
Loading thread data ...

since you have global as interface, you need the interface in your static and ACL aswell, unless you have dedicated IP range on outside and your ref to x.x.x.x is one of these free IP's.

HTH Martin

Reply to
Martin Bilgrav

You lost me here. I am new to the PIX and not even sure where the Global setting was made.

Am I better off changing my Global Setting ( i assume this: global (outside) 1 x.x.x.x ) or am I better to adjust/add the static and ACL (not sure what).

BTW.. x.x.x.x is a single IP address, that is all we have on the outside.

Thanks,

Jamie

Reply to
Jamie Mcc

ok, if you only have this single IP address on the Net, then you need to change your static statement. fx static (inside,outside) tcp interface 80 1.2.3.4 80 netmask 255.255.255.255 and this to your ACL: access-list outside_in permit tcp any interface outside eq 80

and o.c. you need to delete the old entries first.

HTH Martin

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.