Hello,

does not work !!!!

web server on DMZ, his ip @ : 192.168.2.X

Static address translation to : 192.168.3.250

after router cisco 2611 : public ip address : 209.21.105.250. The router transale from IP public to 192.168.3.250. Pix translate from 3.250 to 192.168.2.X.

Should I have to change something on my web server or my own dns server or.....

thanks.

When the users are on a different interface of the PIX than the web server is, the correct solution is to use "outside" nat rather than the "dns" fixup on the existing "static" statement. For example, if your existing static command for the web server looks like this:

static (dmz,outside) 192.128.3.250 192.168.2.x

Then just add another static that looks like this:

static (dmz,inside) 192.128.3.250 192.168.2.x

The only difference between the two commands is the specifications of the interfaces. Note that this will prevent access to the web server by it's actual private address - everyone will have to use the DNS name or the public address.

I hope this helps.

I am having a similar problem. I have a very simple network setup. Internet -> Cisco 675 -> Pix 501 -> LAN. I have a computer on the LAN which is a Mail and Web server. I have the PIX configured to allow outside traffic to the web/mail server. Also right now our DNS points to a 207.x.x.89 ( i havent had the nerve to change it yet ) But the PIX outside int is 207.x.x.90. Right now someone from outside can access the mail/web using 207.x.x.90. However the real problem I am having is that I cannot get to the web/mail server from the inside using its 207.x.x.90 address. Obviously I cannot use the DNS names because they are still pointed at the .89 address. The web server is not in a DMZ ( at least I don't think it is ) as all of my static commands say (inside, outside ).

Here are my questions

1. Does the web/mail server need to be in a DMZ? If so how?

2. Can I use the "outside nat" in my current config even without a DMZ? what would that look like?

Here is an edited output of sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit icmp any any

access-list 101 permit tcp any interface outside eq www

access-list 101 permit tcp any interface outside eq smtp

access-list 101 permit tcp any interface outside eq pop3

pager lines 24

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside 207.x.x.90 255.255.255.248

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.0 255.255.255.0 inside

pdm location 10.0.0.100 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 207.x.x.91-207.x.x.93 netmask 255.255.255.248

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 10.0.0.100 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 10.0.0.100 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 10.0.0.100 pop3 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 207.x.x.89 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.2-10.0.0.99 inside

dhcpd dns x.x.x.x x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxx

: end

1. Since the 501 only supports 2 interfaces, you don't really have any DMZ options without making some hardware changes.

2. "Outside nat" won't help you. If you want to access an inside host using it's public address, you have to use DNS so that the PIX can translate the DNS replies. Your best solution is to go ahead and get your DNS information updated so that it refers to the new address. The you can use the "dns" keyword on the "static" command so that your inside hosts will use the local address for your server instead of its public address.

Good luck!