Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
5
Helpful
4
Replies

Outlook-->Exchange connectivity on the inside w/Pix 515

jshaflucas
Level 1
Level 1

‎02-17-2004 08:34 AM - edited ‎02-20-2020 11:14 PM

Hi all,

I finally set up our pix 515 and re IPed our network. We have an Exchange Server (5.5) running on a NT 4.0 PDC. It HAD a public IP address 209.71.x.x. Now it has a private 192.168.1.x address. Accessing the mail server from the outside through the firewall works great. There is a translation from 209.71.x.x to the 192.168.1.x, and I added some static ports to make it work (I know it isn't the best securitywise, but it works for now)

The problem is, the internal clients that are on the same subnet as the mail server (192.168.1.x subnet) are having a hard time opening up their mail using Outlook 97. It hangs for about a minute and finally opens, where it use to just pop open when they use to be on the old 209.71.x.x subnet with the mail server.

When I ping the e-mail server's fqdn or computer name from the internal clients, it tries to resolve the name to the old 209.71.x.x address.

I don't have an internal DNS server or hosts files on the clients, but I am running a WINS server.

I think I have narrowed the problem down to a name resolution problem, but how can I tell the internal client PC's that the mail server is now at 192.168.1.x

TIA.

0 Helpful
4 Replies 4

peangvall
Level 1
Level 1

‎02-17-2004 09:15 AM

You can tell the PIX to change the DNS lookup to the internal IP. Add these to your PIX config (change the x's to your IPs):

alias (inside) 192.168.1.x 209.71.x.x 255.255.255.255

sysopt noproxyarp inside

Then do a "clear xlate". What will happen is that when the PIX sees a dns reply with the 209.71 address, it will change it to the 192.168.1 address. Once you do a "clear xlate", you should be able to test it by pinging the fqdn and see if you get the 192.168.1 address. Note that you may also have to clear the dns cache on your pc (ipconfig /flushdns).

jshaflucas
Level 1
Level 1
In response to peangvall

‎02-17-2004 12:09 PM

That did the trick!

Thank you very much !!!

0 Helpful

jdepies
Level 1
Level 1
In response to jshaflucas

‎02-18-2004 08:29 AM

I have a question which I think is along the same lines.

I do not have any alias commands on my Pix 515 running 6.3.1.

These are the current sysopt settings:

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

when I nslookup to an outside DNS server from a PC inside the firewall, I get a response from the outside DNS server for an internal IP of my mail server, even though external DNS should be resolving to the external IP of the server.

When I NSLOOKUP from a pc on the internet to the same DNS server and ask for the same A record, it returns the correct External IP.

I am not sure if the sysopt command is the direction I should be looking to solve this problem, but I thought I would ask for some advice.

Its hard to troubleshoot my external DNS settings when the pix keeps translating the IP.

Thanks for any help

Jeff

0 Helpful

jdepies
Level 1
Level 1
In response to jdepies

‎02-19-2004 10:38 AM

Anybody have any ideas?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card