Pix 515 with multiple interfaces seeing each others and Active DIrectory
Ive configured a CISCO PIX 515 E- unrestricted IOS v. 6.1 with 6 interfaces for a Customer. We have hosts on Windows 2000 and NT platform spread in each subnet. Ive implemented NAT to grant the higher security interfaces to talk with the lower and vice versa.
nameif ethernet0 outside 0
nameif ethernet1 inside 100
nameif ethernet2 ServerFarm 50
nameif ethernet4 DMZ_Pubblica 30
nameif ethernet5 DMZ2 80
ip address outside 172.16.80.1 255.255.255.0
ip address inside 172.16.16.1 255.255.255.0
ip address ServerFarm 172.16.1.1 255.255.255.0
ip address DMZ_Pubblica 172.16.48.1 255.255.255.0
ip address DMZ2 172.16.64.1 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ServerFarm) 1 0.0.0.0 0.0.0.0
nat (DMZ_Pubblica) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 1 0.0.0.0 0.0.0.0
global (outside) 1 172.16.80.101-172.16.80.130 netmask 255.255.255.0
global (ServerFarm) 1 172.16.1.101-172.16.1.130 netmask 255.255.255.0
So when a host on DMZ_Pubblica needs to access a server, with IP address 172.16.18.50, in inside network, will have to open a session with 172.16.48.50.
The Active Directory is in the subnet named ServerFarm. When the Active Directory Server receives a request coming from a host in DMZ_Pubblica, with IP address 172.16.48.yy, to resolve the name for a server in the network inside, with IP address 172.16.16.xx, the AD Server will have to answer the IP address natted 172.16.48.xx. When the AD Server receives a request from a host in DMZ2, with IP address 172.16.64.zz, for the same server in the network inside will have to give another IP address natted 172.16.64.xx and its impossible.
I can fix it with lmhosts files or I must modify each WINS server, but the customer would rather not do that on every machine and complains because he believes it takes too long to resolve names. Is there any other solutions?
May I not apply NAT mechanism between the interfaces?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :