PIX Work Around

wayneh · ‎09-19-2001

Here is my situation. My LAN users must enter either my Web server name or internal IP address to get to our Web site. The CEO wants to be able to type in the URL (company.com) to get to the site. I have our LAN protected from the outside world with a PIX 515 using NAT, which is not allowing LAN users to type in the URL & go out the PIX & make a U turn and come back in again. I believe I need a DNS entry on the LAN DNS database, but I'm not familiar enough with DNS to get it to work. Has anybody had experience with this or have any ideas on how I can accomplish this to satisfy my boss.

mike.t · ‎09-19-2001

You're right, you can setup an internal DNS server with the users pointing to that DNS server which has the webserver mapped to it's internal IP address. Outside users will rely on their external DNS to get to your site. DHCP from WindowsNT/2000 works great for configuring the DNS of your internal clients.

rstaaf · ‎09-19-2001

Another solution is to use the alias command on the PIX. In simple terms it is a DNS entry on the PIX for your web server. The only problem is if you are running the PDM on your PIX, the alias command is not supported and will disable all the screens except for Monitoring in the PDM. If you are not running the PDM than you are OK.

http://www.cisco.com/warp/public/110/alias.html

Hope this helps. I believe it is a much simpler solution.

Bob Staaf

Southern Web Services

Orlando, Fl

thompson · ‎09-25-2001

It is not good practice to resolve IP addresses in your private network via a public DNS server. You should definately include an address on an internal DNS box. I have internal users lookup an internal DNS server and then it queries externally if there is no record. You can use an A record that makes sense to you then CNAME record for whatever the boss wants.