Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 520 and 6.2(2) - Weird problems

Unanswered Question
Aug 29th, 2002
User Badges:


First, I would like to know whether anyone has been using 6.2(2) in production?

I have a simple setup with a PIX 520 and 6.2(2). There is one HTTP Proxy server behind the firewall. All users hit the HTTP Proxy which in turns goes out thru the PIX. The Proxy is natted on the PIX.

Something like this:

nat (inside) 1 ip_of_the_proxy 0 0

global (outside) 1 ip_from_global_pool

Now the ISP has two DNS servers. Lets say A & B. After some time of functioning, users can't get URLs resolved. For eg. a request for www.download.com returns with a search page from search.msn.com.

When the preference for DNS servers is reversed, say from A & B to B & A, it starts working again.

I changed the nat statement to :

nat (inside) 1 ip_add_of_proxy dns 0 0

Still watching for trouble.

Any clues on what could be the problem? Whats the diff between:

nat (inside) 1 IP mask 0 0


nat (inside) 1 IP mask dns 0 0



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The dns option on the nat statement means that if the resolved address is found in your xlate, the firewall will translate it to the local address, i.e. if the server is on your own network it's local address will be used.

Are you sure the DNS server is up? Is it responding to ping? Use NSLOOKUP or a DNS client (such as DynyDNS; www.dynu.com) to query the DNS server. Ask someone else outside your network (and firewall) to query the same DNS servers to see if they get a reply. If they get a reply, use the debug functions in your PIX to pinpoint the problem.

-- Rubio

PS. The web server doesn't return the MSN search page. IE displays it automatically if no server is found (Gee, thanks Bill...).


This Discussion