11-08-2004 02:07 PM - edited 03-09-2019 09:23 AM
Need help with the following:
My need config as follow
One Host with Win2K3 DC behind Cisco router 2621 with address 10.2.1.1 (domain: secure.mycompany.com)
One Host with Win2K DC in inside PIX with address 10.1.1.2 (domain: mycompany.com)
-----------------------2621Router-----------------PIX515E-----
Win2k3Host.............................Win2KHost
I need sub domain secure.mycompany.com to be a child domain of mycompany.com
Is this possible? How?
PIX515E w/DMZ
-------------
Outside network 1.1.1.0/24
Ouside interface 1.1.1.2
DMZ network 192.168.1.0/24
DMZ interface 192.168.1.1
Inside network 10.1.1.0/24 (Non-Protected from 2621 point-of-view)
Inside interface 10.1.1.1
Cisco Router 2621
-----------------
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname firewall
!
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
no ip source-route
!
ip inspect name rule1 smtp
ip inspect name rule1 tcp
ip inspect name rule1 udp
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
description Protected Side
ip address 10.2.1.254 255.255.255.0
ip access-group 101 out
no ip directed-broadcast
ip nat inside
duplex auto
speed 100
no cdp enable
!
interface FastEthernet0/1
description Non-Protected Side
ip address 10.1.1.250 255.255.255.0
no ip directed-broadcast
ip nat outside
ip inspect rule1 out
duplex auto
speed 100
no cdp enable
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
!
access-list 100 permit ip host 10.2.1.1 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any gt 1024
access-list 101 permit tcp host 10.2.1.1 host 10.1.1.2
access-list 101 permit tcp host 10.1.1.250 any
access-list 101 permit udp host 10.1.1.250 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
no cdp run
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
end
11-08-2004 07:49 PM
Yes, it is possible to do what you want. In addition to coding the proper dns entries in both DC hosts (one set of dns records in the parent domain pointing to the child, and one set of records in the child pointing to the parent), you will need to create a one-to-one nat statement on the 2621, or have the 10.1.1/24 network see the 10.2.1.1 host as it is (that is do not nat that DC). This is because with the parent delegating to the child, the hosts on 10.1.1/24 will need to send dns queries to the 10.2.1.1 host.
Also, how you add the dns records depends upon whether or not you NAT.
Since the 2621 has an interface on the 10.1.1/24 network it may be easier to code a static nat on the 2621 to a 10.1.1.x address that is not the interface address but an unused one on that subnet, and to config the 2621 to respond to proxy-arps based upon that address.
After you do that, make an adjustment to the acl 100 on the 2621 to deny traffic from 10.2.1.1 and to permit traffic from other hosts (since there will be the static nat already setup).
Let me know if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide