Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
1
Replies

PIX515e & Ciso2621 Router inside Windows DC working

armandoferreira
Level 1
Level 1

‎11-08-2004 02:07 PM - edited ‎03-09-2019 09:23 AM

Need help with the following:

My need config as follow

One Host with Win2K3 DC behind Cisco router 2621 with address 10.2.1.1 (domain: secure.mycompany.com)

One Host with Win2K DC in inside PIX with address 10.1.1.2 (domain: mycompany.com)

-----------------------2621Router-----------------PIX515E-----

Win2k3Host.............................Win2KHost

I need sub domain secure.mycompany.com to be a child domain of mycompany.com

Is this possible? How?

PIX515E w/DMZ

-------------

Outside network 1.1.1.0/24

Ouside interface 1.1.1.2

DMZ network 192.168.1.0/24

DMZ interface 192.168.1.1

Inside network 10.1.1.0/24 (Non-Protected from 2621 point-of-view)

Inside interface 10.1.1.1

Cisco Router 2621

-----------------

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname firewall

!

!

!

!

!

!

memory-size iomem 15

ip subnet-zero

no ip source-route

!

ip inspect name rule1 smtp

ip inspect name rule1 tcp

ip inspect name rule1 udp

ip audit notify log

ip audit po max-events 100

!

!

!

interface FastEthernet0/0

description Protected Side

ip address 10.2.1.254 255.255.255.0

ip access-group 101 out

no ip directed-broadcast

ip nat inside

duplex auto

speed 100

no cdp enable

!

interface FastEthernet0/1

description Non-Protected Side

ip address 10.1.1.250 255.255.255.0

no ip directed-broadcast

ip nat outside

ip inspect rule1 out

duplex auto

speed 100

no cdp enable

!

ip nat inside source list 100 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

no ip http server

!

access-list 100 permit ip host 10.2.1.1 any

access-list 101 permit tcp any any established

access-list 101 permit tcp any any gt 1024

access-list 101 permit tcp host 10.2.1.1 host 10.1.1.2

access-list 101 permit tcp host 10.1.1.250 any

access-list 101 permit udp host 10.1.1.250 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any traceroute

access-list 101 permit icmp any any unreachable

no cdp run

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

login

!

end

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎11-08-2004 07:49 PM

Yes, it is possible to do what you want. In addition to coding the proper dns entries in both DC hosts (one set of dns records in the parent domain pointing to the child, and one set of records in the child pointing to the parent), you will need to create a one-to-one nat statement on the 2621, or have the 10.1.1/24 network see the 10.2.1.1 host as it is (that is do not nat that DC). This is because with the parent delegating to the child, the hosts on 10.1.1/24 will need to send dns queries to the 10.2.1.1 host.

Also, how you add the dns records depends upon whether or not you NAT.

Since the 2621 has an interface on the 10.1.1/24 network it may be easier to code a static nat on the 2621 to a 10.1.1.x address that is not the interface address but an unused one on that subnet, and to config the 2621 to respond to proxy-arps based upon that address.

After you do that, make an adjustment to the acl 100 on the 2621 to deny traffic from 10.2.1.1 and to permit traffic from other hosts (since there will be the static nat already setup).

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents