Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DNS on inside

I have three lan (inside) 192.168.0.0/24 , outside 172.16.10.0/24 where there is router Internet and DMZ 172.16.11.0/24.

My customer has posted his WEB server from inside to DMZ with address 172.16.11.151.

This WEB server is also his Mail server and Lotus server.

With appropriate policies on Pix 515 all it works in order from outside and from inside users.

There is only one problem that from inside user he can see his WEB server as machine when he browse his network how neighbour from Windows.

There isn't nat from neither interfaces and with an specific access-list he can ping from inside network the host 172.16.11.151.

What can be?

thanks

Lorenzo

2 REPLIES
Silver

Re: DNS on inside

If his web server also runs other services, and can be seen in network neighborhood, its possible that someone opened up way too many ports from the dmz and into the internal network. can you post the pix config?

New Member

Re: DNS on inside

Here is

wr t

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit tcp any host 172.16.11.151 eq www

access-list acl_out permit tcp any host 172.16.11.151 eq smtp

access-list acl_out permit tcp any host 172.16.11.151 eq lotusnotes

access-list acl-out permit icmp any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 172.16.10.1 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip address dmz 172.16.11.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.0.0 255.255.255.0 0 0

nat (inside) 0 192.168.0.0 255.255.0.0 0 0

nat (dmz) 0 172.16.11.0 255.255.255.0 0 0

static (dmz,outside) 172.16.11.151 172.16.11.151 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.10.2 1

route inside 192.168.0.0 255.255.0.0 192.168.0.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS protocol tacacs

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.0.99 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:fe3ed8aaedb01e172072446839fa60ad

: end

[OK]

95
Views
0
Helpful
2
Replies
CreatePlease to create content