Forgive my ignorance, I am new to the PIX firewall configuration. Here's what I'm trying to do. I have a proxy server (Microsoft ISA Server) in my DMZ with an address of 192.168.2.2. My DMZ interface address is 192.168.2.1. My Inside interface has an address of 172.16.1.1 and the DNS server on the Inside network is 172.16.40.140.
How can I set it so the server in the DMZ queries the DNS server on the inside network? Any help is greatly appreciated.
I've actually looked at both of these articles already but I still couldn't get it to work. I believe the statement I need is static (inside,dmz) and then the ip's but I'm not sure how it is suppose to be structured. Any other ideas?
You need to configure two things for traffic to flow through the PIX, regardless of the direction. Of course the interface setup, routing, and other stuff is needed as well, but I am only addressing this specific query.
First the PIX needs an address translation rule, which can be either a "static" or a "global/nat" depending on the requirement and situation.
Secondly the PIX needs a security rule to permit the traffic, which can be the default "traffic from a higher security interface can pass to a lower security interface" rule or a ACL/conduit (conduits are not Cisco recommended.
In your case you will need to configure a static adderss translation for the DNS server on the inside netwrok. Now you can create a security rule that will allow the proxy server to query the DNS server. A stab at some relevant config lines is below, but you will have to read up on the commands to fully understand thier implication:
Now the first line creates the static that preserved the DNS servers IP address. The second and third line create an ACL that permits the proxy server to establish DNS communitcations with the DNS server. And the fourth line applies the ACL to the DMZA interface.
A quick cavet. I am just grappling with ACLs myself, having used the conduit command instead in the past. So I cannot fully guarantee that the ACL will have any other adverse effect, read up on them and decide for yourself. I can however be sure that if you replace lines 3,4, and 5 with the following two conduits it will work (until Cisoc retire the conduit command):
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :