I have a PIX 520 with a HTTP Proxy (MS ISA Server) behind it. The Proxy is dynamically natted to go out to the internet. The setup works for a while after which it fails to resolve host names.
Funnily, I can do a lookup using 'nslookup' but a 'ping www.yahoo.com' yields 'unknown host' error. From what I understand, the dns queries are timing out. I can ping and browse using the IP addresses, so it is definitely a dns timeout problem.
I tried increasing the timeout of UDP to 3 minutes from 2 minutes. But that didn't help.
Any ideas or workarounds?
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
pager lines 24
logging trap debugging
logging host inside 172.16.32.109
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 188.8.131.52 255.255.255.128
ip address inside 172.16.32.246 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 172.16.32.109 255.255.255.255 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 172.16.32.165 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 184.108.40.206 netmask 255.255.255.255
I think we had this problem recently as well and I found the following (I just can't remember where in CCO). Let me know if this helps you.
5. IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse
DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently.
For example, if a global IP address is 220.127.116.11 and the domain name for the PIX firewall is pix.caguana.com, the PTR record would be:
18.104.22.168.in-addr.arpa. IN PTR pix3.caguana.com
22.214.171.124.in-addr.arpa. IN PTR pix4.caguana.com so on.
And this is from the DNS Records Document:
Unlike the other SOA records, Pointer (PTR) records are used only in reverse (IN-ADDR.ARPA) domains. There must be exactly one PTR record for each Internet address. For example, if the host gadzooks.poetry.arizona.edu has an IP address of 126.96.36.199, then there must be a PTR record for it in the following format:
188.8.131.52.IN-ADDR.ARPA. IN PTR gadzooks.poetry.arizona.edu.
Reverse domains contain mainly PTR records (plus SOA and NS records at the top.)
The Berkeley r-utilities use the value of the PTR record for hostname authentication. Although DNS specifies that case is not significant in host names, be aware that some operating systems are sensitive to host name case.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :