×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Outlook-->Exchange connectivity on the inside w/Pix 515

Unanswered Question
Feb 17th, 2004
User Badges:

Hi all,


I finally set up our pix 515 and re IPed our network. We have an Exchange Server (5.5) running on a NT 4.0 PDC. It HAD a public IP address 209.71.x.x. Now it has a private 192.168.1.x address. Accessing the mail server from the outside through the firewall works great. There is a translation from 209.71.x.x to the 192.168.1.x, and I added some static ports to make it work (I know it isn't the best securitywise, but it works for now)


The problem is, the internal clients that are on the same subnet as the mail server (192.168.1.x subnet) are having a hard time opening up their mail using Outlook 97. It hangs for about a minute and finally opens, where it use to just pop open when they use to be on the old 209.71.x.x subnet with the mail server.


When I ping the e-mail server's fqdn or computer name from the internal clients, it tries to resolve the name to the old 209.71.x.x address.


I don't have an internal DNS server or hosts files on the clients, but I am running a WINS server.


I think I have narrowed the problem down to a name resolution problem, but how can I tell the internal client PC's that the mail server is now at 192.168.1.x


TIA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
peangvall Tue, 02/17/2004 - 09:15
User Badges:

You can tell the PIX to change the DNS lookup to the internal IP. Add these to your PIX config (change the x's to your IPs):


alias (inside) 192.168.1.x 209.71.x.x 255.255.255.255

sysopt noproxyarp inside


Then do a "clear xlate". What will happen is that when the PIX sees a dns reply with the 209.71 address, it will change it to the 192.168.1 address. Once you do a "clear xlate", you should be able to test it by pinging the fqdn and see if you get the 192.168.1 address. Note that you may also have to clear the dns cache on your pc (ipconfig /flushdns).


jdepies Wed, 02/18/2004 - 08:29
User Badges:

I have a question which I think is along the same lines.


I do not have any alias commands on my Pix 515 running 6.3.1.


These are the current sysopt settings:


no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible


when I nslookup to an outside DNS server from a PC inside the firewall, I get a response from the outside DNS server for an internal IP of my mail server, even though external DNS should be resolving to the external IP of the server.


When I NSLOOKUP from a pc on the internet to the same DNS server and ask for the same A record, it returns the correct External IP.


I am not sure if the sysopt command is the direction I should be looking to solve this problem, but I thought I would ask for some advice.


Its hard to troubleshoot my external DNS settings when the pix keeps translating the IP.



Thanks for any help



Jeff

Actions

This Discussion