I Can't access my website from inside network! 3

[Vin999]

Hi,

I am using a Pix 501 ver 6.2.2

I am running a Web server, Mail server and allow internal clients, internet access.

I can't access our website

http://www.mydomain.com

form inside our network using this URL.

When I try from outside the network this works fine.

If I use

http://192.168.0.3/index.htm

then it works fine, but I want to be able to type in

http://www.mydomain.com

!!!

Can anyone shed any light on this?

I have included my current config below.

Thanks
Vinny

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname SFUKfirewall
domain-name xxxx.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25

names
access-list acl_out permit tcp any host 192.168.2.2 eq pop3
access-list acl_out permit tcp any host 192.168.2.2 eq smtp
access-list acl_out permit tcp any host 192.168.2.2 eq www

pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.2.2

http://www 192.168.1.2

http://www dns

netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp dns netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.2 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end

 

[ChrisAC]

You should use the 'alias' command as when you query DNS for

http://www.yourdomain.com,

the global outside address will be returned.

Example here;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[LloydSev]

Do you have an internal DNS server on your network?

If you do, you can setup the alias there.

Computer/Network Technician
CCNA

 

[Vin999]

Hi,

I tried to follow the instructions on the link you provided, but I must be doing something wrong as I loose internet connection with this.

I have included current config incase you can spot any mistakes.

I know I am pointing to external dns servers I am not sure if the server is also using an internal dns server!

Thanks Vinny.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname SFUKfirewall
domain-name mydomain.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25

names
access-list acl_out permit tcp any host 192.168.2.2 eq pop3
access-list acl_out permit tcp any host 192.168.2.2 eq smtp
access-list acl_out permit tcp any host 192.168.2.2 eq www
access-list acl-out permit tcp any host 80.xxx.xxx.225 eq www

pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 192.168.1.2 80.xxx.xxx.225 255.255.255.255

static (inside,outside) tcp 192.168.2.2

http://www 192.168.1.2

http://www dns

netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 pop3 192.168.1.2 pop3 dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.2.2 smtp 192.168.1.2 smtp dns netmask 255.255.255.255 0 0
static (inside,outside) 80.xxx.xxx.225 192.168.1.2 dns netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.1.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.2 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
[OK]

 

[LloydSev]

You need to add an ACL entry for the web server..

access-list acl_out permit tcp any host 192.168.1.2 eq www

this must be in ADDITION to the one you have.

Computer/Network Technician
CCNA

 

[skhoury]

If you have an internal DNS Server (i.e. You are running Active Directory), you have to have entry ('A' Record) for your website.

Pull up your records on your DNS server and see if you have a 'www' record for the domain name.

 

[ChrisAC]

access-list acl_out permit tcp any host 192.168.1.2 eq www
"

I only ever put access-list statments in for the external IP addresses, never the internal. Any traffic entering the external interface will have the external address as a destination.

Vin, putting an alias in should not cause a loss of connectivity at all. All is does is doctor DNS replies from external servers.

You really need to find out if you have an internal DNS server so that you will simply resolve it to the internal address.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[LloydSev]

Vin999: Do an "ipconfig /all" and tell us what the DNS server area says.

Computer/Network Technician
CCNA

 

[Vin999]

Hi Guys,

Thanks for your input i will try it out right now, mean while i enclose the "ip Config /all" results below.

Thanks Vinny.

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : SERVER
Primary DNS Suffix . . . . . . . : SuperfoodsUK.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : SuperfoodsUK.local

Ethernet adapter SERVER to Network:

Connection-specific DNS Suffix . : SUPERFOODSUK.LOCAL
Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
Physical Address. . . . . . . . . : 00-02-B3-C8-C0-D3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.0.3
Primary WINS Server . . . . . . . : 192.168.0.1
Secondary WINS Server . . . . . . : 192.168.0.2

Ethernet adapter SERVER to Pix:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connect
ion
Physical Address. . . . . . . . . : 00-06-5B-F8-05-BC
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\Administrator>

 

[LloydSev]

that means you have an internal DNS server. whatever box 192.168.0.3 is, you can add an A entry into the DNS server and make this change locally.

Computer/Network Technician
CCNA

 

[ChrisAC]

you can add an A entry into the DNS server and make this change locally"

Unless of course this isn't an authorative server but just a cache server.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[Vin999]

Hi,

192.168.0.3 is the internal interface of my mail/web server, the external interface is the 192.168.1.2.

I am new at this, can you please tell me exactly what to add and where I would locate the file I need to add this statement into?

Thanks again
Vinny.

 

[LloydSev]

what operating system is it running?

Computer/Network Technician
CCNA

 

[Vin999]

Small Biz 2000

Cheers.

 

[LloydSev]

OK...

On that machine.. goto Start -> Run

MMC /A

File -> Add/Remove Snap-In

Click Add

Select DNS from the list


OK.. let me know if you get this far?

Computer/Network Technician
CCNA

 

[Vin999]

I have managed to, Select DNS from the list

Rgds
Vinny

 

[LloydSev]

ok Click Close to go back to the MMC main screen with the DNS snap-in loaded.

now click on DNS, it will ask you to either select "This Computer" or another computer. If you are physically on(or remotely on) the mail/web server, go ahead and select "This Computer"

Under "Forward Lookup Zones", go ahead and right click on your domain name. Select "New Host (A)". Type in

http://www for

the name, and the IP address for the web server.

Now, as long as you don't have the external IP on your system cached you should be able to start using it right away.. however if you can't, reboot your system.

Computer/Network Technician
CCNA

 

[Vin999]

***
Thanks very much LloydSev

that did the trick

Regards
Vinny