Re: PIX 520 DNS/ALIAS Quesstion

h.deklerk · ‎10-26-2001

Dear All,

Pix software version 5.3.2

Pix 520, Four interfaces

INTERNET--Connected to Global Internet only, ISP 193.108.210.1

OUTSIDE--Connected to second ISP 193.173.249.65, from outside to our Webser on the DMZ

INSIDE--Users 10.8.0.0, Intranet Server 10.1.0.96,

Proxy 10.8.0.3

DMZ--Web server, 10.9.0.9 (193.173.249.68)

DNS on outside with ISP.

The config is working, except my inside user cannot open our www. server. Web service are no problem with outside to dmz, Can anyone help me with the alias command I tried, alias (inside) 193.173.249.68 10.9.0.9 255.255.255.255 and no luck.

Can some expert help me to solve this problem, Did I miss something?

I posted the configuration below.

All help is apreciated, Thanks

Hendrik de Klerk

hendrik.de.klerk@cz.nl

nameif token-ring0 outside security0

nameif token-ring1 inside security100

nameif ethernet0 internet security10

nameif ethernet1 DMZ security15

nameif ethernet2 DMZ-nieuw security20

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

access-list 101 permit tcp any host 193.173.249.76 eq www

access-list 101 permit tcp any host 193.173.249.76 eq 443

access-list 101 permit tcp any host 193.173.249.68 eq www

access-list 101 permit tcp any host 193.173.249.68 eq 443

access-list 101 permit tcp any host 193.173.249.69 eq smtp

access-list 101 permit tcp any host 193.173.249.81 eq www

access-list 101 permit tcp any host 193.173.249.81 eq 443

access-list 101 permit tcp any host 193.173.249.90 eq www

access-list 101 permit tcp any host 193.173.249.90 eq 443

access-list 103 permit tcp any host 10.9.0.98 eq smtp

access-list 103 permit udp host 10.9.0.7 any

access-list 103 permit tcp host 10.9.0.7 any

access-list 103 permit ip host 10.1.0.96 host 10.9.0.9

access-list 103 permit ip host 10.9.0.9 host 10.1.0.96

access-list 103 permit ip host 10.1.0.98 host 10.9.0.7

access-list 103 permit ip host 10.9.0.7 host 10.1.0.98

ip address outside 193.173.249.67 255.255.255.192

ip address inside 10.8.0.2 255.255.0.0

ip address internet 193.108.210.2 255.255.255.0

ip address DMZ 10.9.0.1 255.255.0.0

global (outside) 1 193.173.249.71-193.173.249.75

global (internet) 3 193.108.210.71-193.108.210.75

global (DMZ) 2 10.9.254.1-10.9.255.254

nat (inside) 3 10.8.0.3 255.255.255.255 0 0

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) 193.173.249.76 10.9.0.10 netmask 255.255.255.255 0 0

static (DMZ,outside) 193.173.249.68 10.9.0.9 netmask 255.255.255.255 0 0

static (DMZ,outside) 193.173.249.69 10.9.0.7 netmask 255.255.255.255 0 0

static (DMZ,outside) 193.173.249.81 10.9.0.81 netmask 255.255.255.255 0 0

static (DMZ,outside) 193.173.249.90 10.9.0.80 netmask 255.255.255.255 0 0

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

static (inside,DMZ) 10.9.0.98 10.1.0.98 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group 103 in interface DMZ

route outside 0.0.0.0 0.0.0.0 193.173.249.65 1

route inside 10.1.0.0 255.255.0.0 10.8.0.1 1

route inside 10.4.0.0 255.255.0.0 10.8.0.1 1

route inside 10.7.0.0 255.255.0.0 10.8.0.1 1

route inside 10.32.0.0 255.255.0.0 10.8.0.1 1

route inside 10.35.0.0 255.255.0.0 10.8.0.1 1

route inside 10.51.0.0 255.255.0.0 10.8.0.1 1

route inside 10.101.0.0 255.255.0.0 10.8.0.1 1

eurostar · ‎10-26-2001

Hello,

Could you try a test.

If you place a client on the 10.1.0.0 subnet without proxy settings can they access the web server. Or you could try adding the command. static (inside,DMZ) 10.8.0.0 10.8.0.0 255.255.0.0 0 0, disable proxy settings on 1 client and see if they can access it, then try with proxy settings.

Let me know the outcome Jon.Mcglashan@dsnuk.com

HEATH FREEL · ‎10-27-2001

The Alias command is the way to go, but we have had some problems with alias in version 5.3 - either go down to 5.2 or up to 6.x and try it with the alias command. It sould work then.