new DNS server behind two pix's

Below are two (edited) runing pix configs - a main and a brach office. I've been asked to create a new secondary DNS server for the brach on it's local lan. The primary DNS server is sitting on a Windows 2003 server on the main office's :LAN. I feel this is mostly politics and not not driven by bandwidth issues - but in any event, does anyone see likely probelms here ? Is there anything about these PIX configs that sould get in the way of DNS records being moved from one DNS server to another ?

//main office interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50

fixup protocol dns maximum-length 1024 no fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip access-list 101 permit ip access-list 101 permit ip permit tcp a

mtu outside 1500 access-list acl-outside permit icmp any any mtu DMZ 1500nd h access-list acl-outside permit tcp any host eq smtp255.255.240ttp Configure HTTP server access-list acl-outside permit tcp any host eq pop3p address inside access for ICMP tra access-list acl-outside permit tcp any host eq www ip address DMZ 255.255.255. access-list acl-outside permit tcp any host eq ftp-dataace Set network i access-list acl-outside permit tcp any host eq ftp ip local pool pool access-list acl-outside permit tcp any host Clear or displ static (inside,outside) netmask 0

55.0 pager lines 24 mtu outside 1500 mtu inside 1500st Display mtu DMZ 1500 local host ip address outside static (inside,outside) 10.0 ip address inside ip address DMZ Enable logging facility ip audit info action alarm static (inside,outside) 2 ip audit attack action alarmask 0 0 ip local pool pool map

global (DMZ) 1 fixu nat (inside) 0 access-list 101th 0:05:00 absoluteMPUTER SYST nat (inside) 1 0 0 aaa-server TACACS+ pr nat (DMZ) 1 0 0 static (inside,outside) netmask 0

0POSES. static (inside,outside) netmask 0 0 aaa-server RADIUS protocol radius** static (inside,outside) netmask 0 0


crypto ipsec t timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00ssions timeout sip-disconnect 0:02:00 sip-invite 0:03:00-set myset1 esp-aes-256 esp-sha-hmacon State timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+pto dynamic-map dynmap 30 set trans aaa-server TACACS+ max-failed-attempts 3DES 4 - aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radiusmap mymap 10 ipsec-isakmp aaa-server RADIUS max-failed-attemptsap mymap 10 ma http inside no snmp-server 1.5 no snmp-server contact crypto map mymap snmp-server community public no snmp-server enable traps address netm floodguard enable5 no-xauth sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-sha-hmac isakmp id crypto ipsec transform-set myset1 esp-aes-256 esp-sha-hmac-traversal 20 isakmp policy 10 auth crypto dynamic-map dynmap 30 set transform-set myset1 isakmp po crypto map mymap 10 ipsec-isakmp********************** crypto map mymap 10 match address 100 isakmp policy 10 has isakmp enable outside Type h isakmp key ******** address netmask no-xauthup vpn3000 split- console timeout 0-v]

Reply to
barret bonden
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.