I have 2 IP addresses from my provider, 1 is issued via PPPoE (static) the other is static as a NAMES. I am having issues with a Win2k DNS server behind the PIX communicating with a replication partner on the outside which is on a Win2k3 server. All intitiations must come from the win2k or zone transfers won't happen.
Also, I am having issues browsing from an internal system using the PPPOE address for NAT to the secondary IP on the external interface.
Below is my config. I think I cleaned all my VPN stuff out, but there might be something still there.
Any suggestions on how to best configure this?
I just received the second IP yesterday, prior to that DNS worked (as far as I can tell).
Thanks for your info.. A little more info from my side.
I cleaned everything up and the access-list outside_access_in was removed.
The below ACL was based on info from Cisco's site for DNS doctoring.
static (outside,inside) WEB01 WEB01_OUT dns netmask 255.255.255.255
I have all my services back up except for DNS transfer from behind the PIX to a public server. I can't force a zone transfer from remotely.. It looks like all transfers are failing even at the record level.
I created a new object group for the DNS part..
access-list 101 permit udp any host USWEB01_OUT object-group NS (is a TCP-UDP group for "domain" only)
I would really like to use the lower part of your suggestion but it failed when trying to use it..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...