Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX 520 and 6.2(2) - Weird problems

Hi,

First, I would like to know whether anyone has been using 6.2(2) in production?

I have a simple setup with a PIX 520 and 6.2(2). There is one HTTP Proxy server behind the firewall. All users hit the HTTP Proxy which in turns goes out thru the PIX. The Proxy is natted on the PIX.

Something like this:

nat (inside) 1 ip_of_the_proxy 255.255.255.255 0 0

global (outside) 1 ip_from_global_pool

Now the ISP has two DNS servers. Lets say A & B. After some time of functioning, users can't get URLs resolved. For eg. a request for www.download.com returns with a search page from search.msn.com.

When the preference for DNS servers is reversed, say from A & B to B & A, it starts working again.

I changed the nat statement to :

nat (inside) 1 ip_add_of_proxy 255.255.255.255 dns 0 0

Still watching for trouble.

Any clues on what could be the problem? Whats the diff between:

nat (inside) 1 IP mask 0 0

AND

nat (inside) 1 IP mask dns 0 0

TIA,

Siddhartha

1 REPLY
Community Member

Re: PIX 520 and 6.2(2) - Weird problems

The dns option on the nat statement means that if the resolved address is found in your xlate, the firewall will translate it to the local address, i.e. if the server is on your own network it's local address will be used.

Are you sure the DNS server is up? Is it responding to ping? Use NSLOOKUP or a DNS client (such as DynyDNS; www.dynu.com) to query the DNS server. Ask someone else outside your network (and firewall) to query the same DNS servers to see if they get a reply. If they get a reply, use the debug functions in your PIX to pinpoint the problem.

-- Rubio

PS. The web server doesn't return the MSN search page. IE displays it automatically if no server is found (Gee, thanks Bill...).

94
Views
0
Helpful
1
Replies
CreatePlease to create content