Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
2
Replies

Problems to access DNS services from a DMZ using PIX 515 UR.

sguerrero
Level 1
Level 1

‎05-29-2005 05:44 PM - edited ‎02-21-2020 12:10 AM

I have a configuration using a private VPN.

I have a 515 Firewall in which outside is connected to VPN in order to offer connection to the rest of the world. Inside connects a back-end exchange server and DMZ connects a frontEnd exchange server.

I am using a DNS server in the outside for the exchange server in the inside and it works OK, but I want to use the same DNS to serve the frontEnd exchange server and it is not working.

Here I have the addresses and static, and some of the access-list involved (not all of them). Just want to know if the problem is with the static mapping (if I am missing something, please let me know).DNS has 192.168.212.6 IP address

ip address outside 192.168.212.29 255.255.255.224

ip address inside 192.168.100.29 255.255.255.224

ip address DMZ 192.168.209.94 255.255.255.224

static (inside,outside) 192.168.212.8 192.168.100.8 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.209.68 192.168.100.8 netmask 255.255.255.255 0 0

static (DMZ,inside) 192.168.100.15 192.168.209.65 netmask 255.255.255.255 0 0

static (DMZ,outside) 192.168.212.15 192.168.209.65 netmask 255.255.255.255 0 0

access-group acl-out in interface outside

access-group acl-in in interface inside

access-group acl-dmz in interface DMZ

These access-lists are resumed, only to validate the source and destination of communicaction.

access-list acl-in permit tcp host 192.168.100.8 192.168.212.6

access-list acl-in permit udp host 192.168.100.8 192.168.212.6

access-list acl-dmz permit tcp host 192.168.209.65 host 192.168.212.6

access-list acl-dmz permit udp host 192.168.209.65 host 192.168.212.6

access-list acl-out permit tcp host 192.168.212.6 192.168.212.15

access-list acl-out permit udp host 192.168.212.6 192.168.212.15

access-list acl-out permit tcp host 192.168.212.6 192.168.212.8

access-list acl-out permit udp host 192.168.212.6 192.168.212.8

0 Helpful
2 Replies 2

umedryk
Level 5
Level 5

‎06-06-2005 07:44 AM

As far as I see, your statting mapping looks good, issue is not with the static mapping.

0 Helpful

sguerrero
Level 1
Level 1
In response to umedryk

‎06-06-2005 05:16 PM

Yes, actually the problem was that in the front end servers I am using two ethernet cards,one goes to another firewall and the other goes to this DMZ so I had to use specific routes in these hosts to reach outside DNS services instead of using a default gateway.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card