Hi guys, I have a problem. I have a Pix 515e, with outside, inside, and dmz interfaces, the web side is in the dmz, from the outside the web site works fine, but from the inside I can't access to it using www.xxxx.com, only using http://10.2.2.3, which is the IP in the dmz. Any idea?
The DNS rewrite only works if the DNS response traverses the interface listed in the static command. In your example using this command:
static (dmz,outside) 220.127.116.11 172.16.16.27 dns
then the DNS response would have to come in on the DMZ interface. You have stated though that your DNS server is on the inside interface, so the above static is not going to work. This also explains why it works when you change the interfaces to (inside,outside), since the DNS reponse is seen on the inside interface and it therefore gets changed correctly. Note also how the old alias command specified the "inside" interface.
Now, do you really need a DNS static here? If this is for outside people to connect, then they'll return a DNS entry of 18.104.22.168 and your standard static of
static (dmz,outside) 22.214.171.124 172.16.16.27
that is already configured will do the trick.
If you're trying to set it up for inside people, then it depends on what IP address the inside DNS server returns. If it returns the 172.16.16.27 address then you don't need to do anything. If it returns the 126.96.36.199 address then you don't need "DNS rewriting", you need "destination NAT'ing". You do this also with a static as such:
Note how the interfaces are swapped around as per a normal static. This says that if I see a packet for 188.8.131.52 on the inside interface, change the destination to 172.16.16.27 and forward it out the DMZ interface.
Remember that the alias command had two functions, DNS rewrites and destination NAT (http://www.cisco.com/warp/public/110/alias.html). I have a feeling that the alias command you had in this PIX wasn't doing a whole lot depending on where your DNS server was located and what IP address it returned.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :