Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX can't host WEB, DNS and Mail off same interface?

Hello all. I am totally blown away. I have a PIX515 and Cisco tech support person says I cannot host my own DNS, WEB and mail servers off the same inside or DMZ interface and have the lan users access these via their public dns hostnames? Original issues was I had to replace a PoS Linksys (which BTW works!) that was locking up at random times. I first replaced with a brand new Linksys and 5 days later same lockups on new unit. Latest code Blah, blah blah... Random lockups. I then proceeded to purchase the $600 PIX 501 and just do a basic replacement of the Linksys and all should have been well. Right? After 3 hours I get on the horn with Cisco and they say it can't be done with a 501 in this configuration (DNS, WEB and MAIL on inside same interface). So Cisco says need another box so my question to them was if I get a box with DMZ will that work and I thought I understood their answer was yes. I had a PIX 515 and proceeded to config. Same Damn problem!!!! End user on inside cannot access web site on DMZ via the public dns name! (WEB, DNS and mail on DMZ subnet). What a Joke!!! I guess it is time to buy a NetScreen since the PIX is a Joke.

I can do this with a $99 dollar Linksys!!! I have a public IP on outside and unique private space on DMZ and inside. I am of course doing nat to RFC 1918 space. Can someone please explain to me why this is not an option? Cisco!!!! It's not that tough! Can't you get this right?


Re: PIX can't host WEB, DNS and Mail off same interface?

New Member

Re: PIX can't host WEB, DNS and Mail off same interface?

Yah - I already had this but it would still work. Is there any truth to the statement that the 3 servers cannot be on the same subnet off the same interface?

static (DMZ,OUTSIDE) tcp www www netmask dns

static (DMZ,OUTSIDE) tcp 88 88 netmask dns

static (DMZ,OUTSIDE) tcp 8181 8181 netmask dns

static (DMZ,OUTSIDE) tcp 8383 8383 netmask dns

static (DMZ,OUTSIDE) tcp pop3 pop3 netmask dns

static (DMZ,OUTSIDE) tcp smtp smtp netmask dns

static (DMZ,OUTSIDE) tcp imap4 imap4 netmask dns

static (DMZ,OUTSIDE) tcp 8385 8385 netmask dns

static (inside,DMZ) netmask dns


Re: PIX can't host WEB, DNS and Mail off same interface?

Pulled this line out of doc above.

Note: DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

I was going to recommend "alias" command as well but you will find the same problem with your static pats. It might be time to look at alternatives, more public ip addresses, inside dns server, or edit HOST files on inside pc's. Hopefully someone else can offer another solution.

As far as why cisco says it won't work at all...I don't understand that. This should work if you were doing nat. For example

static (DMZ,OUTSIDE) netmask dns

static (DMZ,OUTSIDE) netmask dns


New Member

Re: PIX can't host WEB, DNS and Mail off same interface?

If you need a serious firewall, go with

checkpoint. When it comes to security, Cisco

is a joke. Even my Linux firewall (iptables)

can do this in a heartbeat. You just wasted a

few thousand dollars for a firewall that can

not do what it supposed to do.

I feel your pain

New Member

Re: PIX can't host WEB, DNS and Mail off same interface?

Well with your 99 dollar linksys you never had an actually dmz. Yes you can have WEB, External DNS, and mail server on your DMZ segment. I would take a guess that your problem is that you use as the domain internally ... thus you are not able to resolve. If you put an A record in your internal DNS for www and pointed it to the Web servers internal address on the DMZ you would be in business.

CreatePlease to create content