This is what I have understood from your description: You have a network setup as drawn below and you want to allow Host A to access your web server (Host B) on your DMZ. Further, the DNS server is located on the outside.
PIX -------------------------HOST B (Web Server www.abc.com; IP 172.16.1.3)
HOST A (IP 10.1.1.2)
If what I have understood is right, then it is possible that the present configuration is wrong. Lets see why! Lets assume that your web server's (Host B) global address is a.b.c.d and that the url is www.abc.com. A dns request from the outside (Internet) to the DNS for www.abc.com, will return the IP a.b.c.d. The external host can now access your web server (Host B) with this IP. If someone sitting on the inside (Host A) makes the same DNS request, the IP returned by the DNS server will be the same IP a.b.c.d. This is where the problem comes. No translation exists for this address between the inside and DMZ. This is precisely why the alias command is configured. By configuring the following alias command, the IP address a.b.c.d returned by the DNS server, will be replaced by 172.16.1.3. Thus the Host A on the inside will learn that server www.abc.com is accessible at ip 172.16.1.3.
alias (inside) 172.16.1.3 a.b.c.d 255.255.255.255
More information on alias command is available at the URL
With this setup, the userA on the inside interface (security level 100) will have access to all resources (Server) on the DMZ (security level 50). Remember, with the most basic configuration in place (IP addresses, route and nat) connections initiated from an interface at a higher security level to a lower security level interface are allowed by default. Thus if the user on the inside (Host A) sends a http request to the server on the DMZ (Host B), the request is allowed through and all traffic sent in response by the server is allowed through to the Host A.
To allow traffic belonging to sessions initiated by HostB (lower security level) to reach Host A (Higher security level), use the access list or conduit permit statement. This access list must use internal/private addresses only, ie 10.1.1.2 and 172.16.1.3 in our example. In addition, Host A must be statically natted or natting should be disabled between Inside and DMZ for this address.
For more information on configuring the PIX firewall (Basic Commands), visit the following URL:
Your network diagram is correct only that the DNS server is located in inside interface. It's purpose is to serve internal users only and not accessible from the outside. When host A in inside network makes DNS request for host B, DNS server will return with IP address 10.1.1.3 for host B. Host A will now send packets with dest. address 10.1.1.3. When they come to PIX, they'll be natted into 172.16.1.3 (by alias command).
To avoid using static route in host B, static command is needed:
acess-list xx permit xxx host 172.16.1.2 host 172.16.1.3
you do not require any access-list for the return traffic as it is part of the same session.
on the inside by default you would not require an access-list to permit traffic to the dmz server as the comm is froma higher level to a lower security level. But if you have to be restrictive and define only particular type of traffic then use
access-list xx permit xxx host 10.1.1.3 10.1.1.0 255.255.255.0
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :