Pix 520 Help

I have a pix 520 running 4.2(2)

Below is my configuration. First 3 octets of the outside IP?s have been changed to 0.1.2

Problem:

When accessing

formatting link
from a NAT?ed workstation on the inside of the pix, the web browser gets its DNS from the primary DNS server returning the real (Outside IP) address. This never works. My temporary solution was to build an internal DNS server that resolves with the inside IP?s allowing me to get to our hosted websites, mail, etc.

Is their another way to do this without relying on a separate internal DNS server? Maybe a static (outside,inside) directive? Or something else?

Any help would be appreciated.

: Saved : PIX Version 4.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol http 80 fixup protocol http 443 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 no names no pager no logging console no logging monitor no logging buffered logging trap notifications logging facility 17 logging host inside 192.168.168.19 interface ethernet0 auto interface ethernet1 auto ip address outside 0.1.2.221 255.255.255.240 ip address inside 192.168.168.1 255.255.255.0 arp timeout 14400 global (outside) 1 0.1.2.220-0.1.2.220 netmask 255.0.0.0 nat (inside) 1 192.168.168.0 255.255.255.0 0 0 static (inside,outside) 0.1.2.209 192.168.168.10 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.210 192.168.168.11 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.211 192.168.168.16 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.212 192.168.168.19 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.213 192.168.168.14 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.214 192.168.168.15 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.215 192.168.168.17 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.217 192.168.168.60 netmask 255.255.255.255 0 0 static (inside,outside) 0.1.2.216 192.168.168.51 netmask 255.255.255.255 0 0 conduit permit tcp host 0.1.2.209 eq domain any conduit permit udp host 0.1.2.209 eq domain any conduit permit tcp host 0.1.2.209 eq www any conduit permit tcp host 0.1.2.209 eq 443 any conduit permit tcp host 0.1.2.209 eq 8081 any conduit permit tcp host 0.1.2.209 eq 8444 any conduit permit tcp host 0.1.2.210 eq ident any conduit permit tcp host 0.1.2.210 eq 1080 any conduit permit tcp host 0.1.2.210 eq 6014 any conduit permit tcp host 0.1.2.210 range 6660 6670 any conduit permit tcp host 0.1.2.210 eq 1024 any conduit permit tcp host 0.1.2.210 eq 7000 any conduit permit tcp host 0.1.2.210 eq 7443 any conduit permit tcp host 0.1.2.210 eq 6443 any conduit permit tcp host 0.1.2.210 eq domain any conduit permit udp host 0.1.2.210 eq domain any conduit permit tcp host 0.1.2.210 eq www any conduit permit tcp host 0.1.2.211 eq smtp any conduit permit tcp host 0.1.2.211 eq www any conduit permit tcp host 0.1.2.211 eq pop3 any conduit permit tcp host 0.1.2.211 eq ident any conduit permit tcp host 0.1.2.211 eq 443 any conduit permit tcp host 0.1.2.211 eq 587 any conduit permit udp host 0.1.2.211 eq 6277 any conduit permit tcp host 0.1.2.213 eq 8767 any conduit permit udp host 0.1.2.213 eq 8767 any conduit permit tcp host 0.1.2.213 eq 51234 any conduit permit udp host 0.1.2.213 eq 51234 any conduit permit tcp host 0.1.2.215 eq 6014 any conduit permit tcp host 0.1.2.215 range 6660 6670 any conduit permit tcp host 0.1.2.215 eq 1024 any conduit permit tcp host 0.1.2.215 eq 7000 any conduit permit tcp host 0.1.2.215 eq 7443 any conduit permit tcp host 0.1.2.215 eq 6443 any conduit permit icmp any any echo-reply conduit permit tcp host 0.1.2.211 eq nntp any conduit permit udp host 0.1.2.211 eq ntp any conduit permit tcp host 0.1.2.209 eq ftp any conduit permit tcp host 0.1.2.209 eq ftp-data any conduit permit tcp host 0.1.2.212 eq 22 any conduit permit udp host 0.1.2.214 eq 27960 any conduit permit tcp any eq 1723 host 209.234.162.131 conduit permit gre any host 209.234.162.131 conduit permit icmp any any time-exceeded conduit permit icmp any any unreachable route outside 0.0.0.0 0.0.0.0 0.1.2.222 1 timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:00:00 absolute snmp-server host inside 192.168.168.19 telnet 192.168.168.0 255.255.255.0 mtu outside 1500 mtu inside 1500 Smallest mtu: 1500 floodguard 1 tcpchecksum verbose

Reply to
Dan Sjolseth
Loading thread data ...

Permit the external dns server ip address on your pix firewall. why u r still using 4.2? upgrade it man :)

Reply to
rockk

If his 520 only has the 2MB flash card, he could at least be runing

5.1(5) but even it's almost five years old now.

-Gary

Reply to
Gary

Sounds like you want the 'alias' command:

formatting link

Reply to
Walter Roberson

The OP might not be aware of Cisco's offer of a free software upgrade to at least 4.4(5),

formatting link
As there were later security vulnerabilities, it might be possible to go further than that.
formatting link
has the various notices that could be examined.

On the other hand, 5.2(9) is the oldest PIX version that Cisco has immediately ready for download [with appropriate account]

formatting link
it has been known in the past that Cisco's TAC has been unable to provide a software version more than a trickle earlier than the downloadable versions. The OP might have a right [granted by Cisco] to an upgrade, but might not be able to obtain the software.

Still, I am puzzled as to why a company could have a PIX for so long and not know about fundamental commands such as 'alias'. It suggests to me that perhaps the equipment was obtained used (perhaps free) by someone who did not know what they were getting in to?

Reply to
Walter Roberson

They're no longer linked on their website but you can log in via FTP to ftp-sj.cisco.com using your CCO user/pwd. Most of their old IOS and PIX images are archived there. I've tracked down some 5.1(X) files for the handful of 2MB cards that I've built FrankenPIXes out of for my lab.

Unfortunately, there are a pile of these selling on eBay along with old Nokia/Checkpoint and Juniper NetScreen boxes. Some of it's commodity hardware that can easily be upgraded to something more useful but the majority have some component with a closed architecture and support from the original vendor has been end of lifed for several years.

-Gary

Reply to
Gary

I see that their archive subdirectory for PIX goes back to pix441.bin . As far as I recall, it didn't get back that far when I last looked.

Interesting, the ftp site is very sparse on 6.2, having only

6.2(1), 6.2(2) and 6.2(4). And the only 6.3 it has is 6.3(5) . Harder to get the recent stuff than some of the old stuff ;-)
Reply to
Walter Roberson

Hi Walter, It seems you're the expert here.

Is this possible to implement?

PC/VPN client---------Internet-------T1DSL/Static Pub IP/NAT-----IOS FW/VPN/NAT.

from DSL modem to Cisco 3825 IOS FW/VPN is private ip with NAT and from cisco 3825 to LAN users is also NATed/FW.

I knew i can do a vpn setup from cisco 3825 if it has a static public ip address but it uses a private ip address from the DSL/T1 which is also running NAT and the DSL/T1 modem has the one with static public ip address.

Technically, is this possible? i will need to setup a vpn connection from home pc/vpn client to access the cisco 3825 network/servers.

your input is greatly appreciated :)

Thank you. Rocky

Reply to
rockk

It's possibly due to the source code leak of 6.3.1 back in Nov '04:

formatting link
It's alleged that this is why the 7.X code base was written from scratch and not based on Finesse.

-Gary

Reply to
Gary

I have owned this box since it was made. I.e. a very long time. In fact, I picked it up fresh off the assembly line. ;)

The alias command will not work, as my DNS servers are ON the internal network. Interception of DNS query's via the alias command only work when the queries are coming from the outside. Least it?s that way in the IOS version.

Reply to
Dan Sjolseth

The PIX alias command also applies to external DNS queries resolved by an internal DNS server.

But I think you'd better re-state your question. Your original posting indicated that your DNS server is outside and that your work-around was to put one up inside which you would like to get rid of; but your current posting indicates that your desired DNS server is inside?

Reply to
Walter Roberson

Assume

formatting link
has public IP address of xxx.yyy.zzz.37, our internal IP address for it is aaa.bbb.ccc.7, and we are using a PIX 520. If we PING
formatting link
internally, the name resolves to the external IP address, and the site cannot be reached. If we try browsing to the site using IE, the site cannot be found.

Hence the need for the internal DNS server.

Reply to
Dan Sjolseth

Reply to
Dan Sjolseth

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.