PIX 515E NAT issue for DNS

Unanswered Question

I hv a PIX 515E(6.3).we have proxy in LAN which is behind PIX.For users to access internet should be only via proxy.So we have done NAT'ing on PIX for Proxy & only proxy IP address is allowed to access internet. Config is as follows


access-list FOR_PROXY permit tcp host 172.18.1.38 any eq https

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq www

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq domain

access-list FOR_PROXY permit udp host 172.18.1.38 any eq domain

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp-data

access-list FOR_PROXY permit tcp host 172.18.1.38 any eq ftp


nat (inside) 1 access-list FOR_PROXY 0 0


Th issue is that sometimes users are not able to access internet via URL.I mean internet sites would be open but with IP address not with DNS name.

If i do 'clear xlate' for few minutues then it seems to be fine but this issue happens continuously randomely 3-4 times in a week & sometimes even clear nat entries won't help & i had no choice but to reboot PIX.

Interestingly when issue occurs only DNS is not working.Can anybody guide me how to fix this or is it a bug for 6.3 PIX OS ? Is it related with embroyonic connections value ?? Please help me..



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Mon, 08/11/2008 - 01:23
User Badges:
  • Silver, 250 points or more

When the problem is experienced on users, does the DNS work on Proxy?

Check this to isolate if this is a PIX or a proxy issue.


I presume the hosts get the DNS from the proxy.


Regards,

Daniel

Farrukh Haroon Mon, 08/11/2008 - 02:04
User Badges:
  • Red, 2250 points or more

Have you changed the embryonic value from default (as you suspect this as a problem)? Also what version are you running spefically? 6.3.5?


Regards


Farrukh

Farrukh Haroon Mon, 08/11/2008 - 05:08
User Badges:
  • Red, 2250 points or more

In PIX 6.x you can do this at the end of static or nat commands. But there is very little chance that this is causing any issues, the default is good enough!


I would recommend uprgading your PIX to the latest version in your train 6.3(X)


Regards


Farrukh

Farrukh Haroon Mon, 08/18/2008 - 10:38
User Badges:
  • Red, 2250 points or more

Since what you are trying to do is something pretty basic, I suggested the OS upgrade. These kind of things should work on the firewall straight away, if they don't its usually a bug. (Specially since the DNS's server belongs to the ISP, so not much help there).


What stops you from the software upgrade?


Regards


Farrukh

cisco24x7 Mon, 08/18/2008 - 11:33
User Badges:
  • Silver, 250 points or more

How can you determine that upgrade will fix the

issue?


There are policies in an enterprise environment

that will not allow upgrade unless the code is

tested for that particular environment and that

it is stable.


What happened if the issue still persists after

the upgrade? Another upgrade?

cisco24x7 Mon, 08/18/2008 - 12:36
User Badges:
  • Silver, 250 points or more

Be careful when you upgrade with 7.x code.

These are E.D. code so use them at your own

risk.


One time I upgrade from version 7.2 to 7.2.2(22)

and after the upgrade "show run + q" rebooted

a production box.


I am very skeptical everytime mentioned upgrade.


Only you know your environment better than

everyone else.

Farrukh Haroon Mon, 08/18/2008 - 20:30
User Badges:
  • Red, 2250 points or more

I agree with that David, I just meant an upgrade to the latest release in that major train e.g 6.3(5).


Regards


Farrukh

Actions

This Discussion