Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
7
Replies

PIX AND DNS REVERSE LOOKUP PROBLEM(S)

rlowe26
Level 1
Level 1

‎04-24-2003 03:41 AM - edited ‎02-20-2020 10:42 PM

Ladies and Gentlemen, Apparently there is no FIX for this Problem(s). However, If one of you CISCO Ladies or Gentlemen can Figure this out, Please let me know Soonest... Thank You in advance.

I have a PIX 5 15 w/failover. On one of my Networks, I have People that have to get to a certain .mil site, but when they attempt to hit certain Links off of it, they cant get to it. When I do a Reverse DNS Lookup Check, it tells me that it is unable to translate my IP Address to a host name, which it is reflecting my PAT Address on my PIX. Now, of course, if I get on one of my Outside DNS Servers, I can get to the Links with no problem. Furthermore, I have a DNS Entry on my outside DNS Server for my Global PAT Address, and it still does not translate. I have tried everything on Cisco's site to fix this situation, to no avail. This is a much needed item, but I also want to keep my network locked down, and yes I know I cant have my cake and eat it too, but any information/guidance on this would be greatly appreciated.

Can someone please help me with this one. I always try to do things myself, but this is one thing that is kicking my tail. Please Help!

0 Helpful
7 Replies 7

jmia
Level 7
Level 7

‎04-24-2003 03:47 AM

Hi Ron,

Any chance you can post your config without the real IP/Passwords etc,etc..

Thanks -

0 Helpful

rlowe26
Level 1
Level 1
In response to jmia

‎04-24-2003 03:56 AM

Sure, give me a few minutes so I can edit the configs in .txt accordingly. Thanks! Ron

0 Helpful

rlowe26
Level 1
Level 1
In response to jmia

‎04-24-2003 04:09 AM

Ok, here it is.

: Saved

: Written by

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd encrypted

hostname mypix

fixup protocol http 80

fixup protocol h323 ras 1718-1719

fixup protocol rtsp 554

fixup protocol smtp 25

no fixup protocol sip 5060

no fixup protocol skinny 2000

no fixup protocol sqlnet 1521

no fixup protocol rsh 514

no fixup protocol h323 h225 1720

no fixup protocol ftp 21

no fixup protocol ils 389

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host x.x.x.x eq smtp

access-list 100 permit tcp any host x.x.x.x eq bgp

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging trap debugging

logging history notifications

logging host inside x.x.x.x

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside x.x.x.x 255.255.255.0

ip address inside x.x.x.x 255.255.255.0

ip address intf2 0.0.0.0 0.0.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside x.x.x.x

failover ip address intf2 x.x.x.x

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location

no snmp-server contact

snmp-server community xxxxxxxx

no snmp-server enable traps

tftp-server inside x.x.x.x pixconfig

floodguard enable

sysopt security fragguard

no sysopt route dnat

telnet x.x.x.x 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

terminal width 80

end

I havent implemented my DMZ yet, but I will be doing that this weekend.

I also have "Service resetoutside"

Ron

0 Helpful

jmia
Level 7
Level 7
In response to rlowe26

‎04-24-2003 04:44 AM

Ron,

I presume that your internal clients /PC's are using your outside DNS IP address? also try < sysopt no proxyarp inside > and see what happens.

Thanks -

0 Helpful

rlowe26
Level 1
Level 1
In response to jmia

‎04-24-2003 05:50 AM

My internal clients are using NAT on the inside. I have Inside DNS and Outside DNS. I just tried it. It didnt work. Ron

0 Helpful

jmia
Level 7
Level 7
In response to rlowe26

‎04-24-2003 07:42 AM

Hi Ron,

No luck eh, well have a look at this doc and hopefully might help you troubleshoot your problem.. sorry no time to look at your problem in greater detail...

http://www.cisco.com/warp/public/110/21.html

Thanks -

0 Helpful

mostiguy
Level 6
Level 6

‎04-24-2003 07:40 AM

You have a forward dns entry for your pix ip address, but how about reverse? Meaning, you have a dns A record for www.bob.com, but no reverse record for 1.2.3.4 to www.bob.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card