04-24-2003 03:41 AM - edited 02-20-2020 10:42 PM
Ladies and Gentlemen, Apparently there is no FIX for this Problem(s). However, If one of you CISCO Ladies or Gentlemen can Figure this out, Please let me know Soonest... Thank You in advance.
I have a PIX 5 15 w/failover. On one of my Networks, I have People that have to get to a certain .mil site, but when they attempt to hit certain Links off of it, they cant get to it. When I do a Reverse DNS Lookup Check, it tells me that it is unable to translate my IP Address to a host name, which it is reflecting my PAT Address on my PIX. Now, of course, if I get on one of my Outside DNS Servers, I can get to the Links with no problem. Furthermore, I have a DNS Entry on my outside DNS Server for my Global PAT Address, and it still does not translate. I have tried everything on Cisco's site to fix this situation, to no avail. This is a much needed item, but I also want to keep my network locked down, and yes I know I cant have my cake and eat it too, but any information/guidance on this would be greatly appreciated.
Can someone please help me with this one. I always try to do things myself, but this is one thing that is kicking my tail. Please Help!
04-24-2003 03:47 AM
Hi Ron,
Any chance you can post your config without the real IP/Passwords etc,etc..
Thanks -
04-24-2003 03:56 AM
Sure, give me a few minutes so I can edit the configs in .txt accordingly. Thanks! Ron
04-24-2003 04:09 AM
Ok, here it is.
: Saved
: Written by
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password encrypted
passwd encrypted
hostname mypix
fixup protocol http 80
fixup protocol h323 ras 1718-1719
fixup protocol rtsp 554
fixup protocol smtp 25
no fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol rsh 514
no fixup protocol h323 h225 1720
no fixup protocol ftp 21
no fixup protocol ils 389
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host x.x.x.x eq smtp
access-list 100 permit tcp any host x.x.x.x eq bgp
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging history notifications
logging host inside x.x.x.x
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside x.x.x.x 255.255.255.0
ip address intf2 0.0.0.0 0.0.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside x.x.x.x
failover ip address intf2 x.x.x.x
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
no snmp-server enable traps
tftp-server inside x.x.x.x pixconfig
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
terminal width 80
end
I havent implemented my DMZ yet, but I will be doing that this weekend.
I also have "Service resetoutside"
Ron
04-24-2003 04:44 AM
Ron,
I presume that your internal clients /PC's are using your outside DNS IP address? also try < sysopt no proxyarp inside > and see what happens.
Thanks -
04-24-2003 05:50 AM
My internal clients are using NAT on the inside. I have Inside DNS and Outside DNS. I just tried it. It didnt work. Ron
04-24-2003 07:42 AM
Hi Ron,
No luck eh, well have a look at this doc and hopefully might help you troubleshoot your problem.. sorry no time to look at your problem in greater detail...
http://www.cisco.com/warp/public/110/21.html
Thanks -
04-24-2003 07:40 AM
You have a forward dns entry for your pix ip address, but how about reverse? Meaning, you have a dns A record for www.bob.com, but no reverse record for 1.2.3.4 to www.bob.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: