PIX can't host WEB, DNS and Mail off same interface?

Unanswered Question
Feb 13th, 2007

Hello all. I am totally blown away. I have a PIX515 and Cisco tech support person says I cannot host my own DNS, WEB and mail servers off the same inside or DMZ interface and have the lan users access these via their public dns hostnames? Original issues was I had to replace a PoS Linksys (which BTW works!) that was locking up at random times. I first replaced with a brand new Linksys and 5 days later same lockups on new unit. Latest code Blah, blah blah... Random lockups. I then proceeded to purchase the $600 PIX 501 and just do a basic replacement of the Linksys and all should have been well. Right? After 3 hours I get on the horn with Cisco and they say it can't be done with a 501 in this configuration (DNS, WEB and MAIL on inside same interface). So Cisco says need another box so my question to them was if I get a box with DMZ will that work and I thought I understood their answer was yes. I had a PIX 515 and proceeded to config. Same Damn problem!!!! End user on inside cannot access web site on DMZ via the public dns name http://www.company.com! (WEB, DNS and mail on DMZ subnet). What a Joke!!! I guess it is time to buy a NetScreen since the PIX is a Joke.

I can do this with a $99 dollar Linksys!!! I have a public IP on outside and unique private space on DMZ and inside. I am of course doing nat to RFC 1918 space. Can someone please explain to me why this is not an option? Cisco!!!! It's not that tough! Can't you get this right?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gerard Roy Tue, 02/13/2007 - 14:21

Yah - I already had this but it would still work. Is there any truth to the statement that the 3 servers cannot be on the same subnet off the same interface?

static (DMZ,OUTSIDE) tcp 66.153.116.90 www 192.168.2.3 www netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 88 192.168.2.3 88 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 8181 192.168.2.2 8181 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 8383 192.168.2.2 8383 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 pop3 192.168.2.2 pop3 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 smtp 192.168.2.2 smtp netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 imap4 192.168.2.2 imap4 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) tcp 66.153.116.90 8385 192.168.2.2 8385 netmask 255.255.255.255 dns

static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 dns

acomiskey Tue, 02/13/2007 - 14:38

Pulled this line out of doc above.

Note: DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

I was going to recommend "alias" command as well but you will find the same problem with your static pats. It might be time to look at alternatives, more public ip addresses, inside dns server, or edit HOST files on inside pc's. Hopefully someone else can offer another solution.

As far as why cisco says it won't work at all...I don't understand that. This should work if you were doing nat. For example

static (DMZ,OUTSIDE) 66.153.116.90 192.168.2.2 netmask 255.255.255.255 dns

static (DMZ,OUTSIDE) 66.153.116.91 192.168.2.3 netmask 255.255.255.255 dns

etc.

daviddtran Wed, 02/14/2007 - 05:30

If you need a serious firewall, go with

checkpoint. When it comes to security, Cisco

is a joke. Even my Linux firewall (iptables)

can do this in a heartbeat. You just wasted a

few thousand dollars for a firewall that can

not do what it supposed to do.

I feel your pain

Well with your 99 dollar linksys you never had an actually dmz. Yes you can have WEB, External DNS, and mail server on your DMZ segment. I would take a guess that your problem is that you use company.com as the domain internally ... thus you are not able to resolve. If you put an A record in your internal DNS for www and pointed it to the Web servers internal address on the DMZ you would be in business.

Actions

This Discussion