Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Exchange with Access-list - error resolving host

hi All,

I have a very very typical problem with one of the client sites,IM trying to configure a Pix 515 R with exchange on the LAN.

The client requirement is to be able to let ony 6 clients browse internet and remaining notto , but mails should work for all through exchange.

I configured as shown below,by this configuration all the clients on the LAN can ping any global IP but not all can browse.Only those allowed IP can browse.

But here in the Middle east , we have our ISP and to browse in the internet explorer it is immenent that one puts proxy1.emirates.net.ae at the proxy of IE.

if I put the above proxy it does not browse , if I put an IP say 194.170.1.6 the DNS of the ISP then it browses.Even when we send a mail from the LAN the mail goes and gets stuck in the Exchange queue,and an error is generated in exchange reading that host name hotmail.com could not be resolved.

From the client if I ping www.cisco.com I get request timed out , but if I ping the global IP addres I get a reply .

Well this surely shows that thers a DNS resolution problem.The router through which the packets go out ultimately is enabled for domain-lookup and if I ping any site www.cisco.com from the router terminal it does resolve that with replies.

Well any one facing such a problem earlier , please let me know the solution to this.Any more queries in this regard I would let you know all if only this could work.

Thanx !

pixfirewall# sh conf

: Saved

:

PIX Version 5.2(6)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list acl_in permit icmp any any

access-list acl_in deny tcp any any eq www

access-list acl_in permit tcp host 192.168.1.2 any eq www

access-list acl_in permit tcp host 192.168.1.3 any eq www

access-list acl_in permit tcp host 192.168.1.11 any eq www

access-list acl_in permit tcp host 192.168.1.12 any eq www

access-list acl_in permit tcp host 192.168.1.13 any eq www

access-list acl_in permit tcp host 192.168.1.14 any eq www

access-list acl_in permit tcp host 192.168.1.15 any eq www

access-list acl_in permit tcp host 192.168.1.16 any eq www

access-list acl_in permit tcp host 192.168.1.17 any eq www

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 213.42.219.12 eq smtp

access-list acl_out permit tcp any host 213.42.219.12 eq domain

access-list acl_out permit tcp any host 213.42.219.12 eq pop3

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 213.42.219.13 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 213.42.219.5-213.42.219.10

global (outside) 1 213.42.219.11

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 213.42.219.12 192.168.1.2 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 213.42.219.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:ea55e9d1c9909ce965c4e0d12a40f018

thanx guys, please update any infor R solution ASAP.

Bye

tauseef

tauseef@cadgulf.com

1 REPLY
New Member

Re: Exchange with Access-list - error resolving host

It doesn't look like your letting the clients do DNS lookups. Add the following to your access-list.

access-list acl_in permit udp any any eq 53

99
Views
0
Helpful
1
Replies