TheStressFactor
IS-IT--Management
Hey all,
Just implemented a PIX515(6.2).My users cannot get out to the internet with the DNS IP provided by dhcp. The internal dns server is a w2k box. However, if i provide an external dns server it works perfectly fine. Is there something I need to provide in order to get my internal dns to resolve properly?
Below is my config...any help or insight would be great.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname firewall
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_outbound permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list acl_outbound permit ip any any
access-list acl_outbound permit icmp any host x.x.x.70
access-list acl_inbound permit ip any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group acl_outbound in interface outside
access-group acl_inbound in interface inside
outbound 1 permit 192.168.3.0 255.255.255.0 0 ip
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
: end
Just implemented a PIX515(6.2).My users cannot get out to the internet with the DNS IP provided by dhcp. The internal dns server is a w2k box. However, if i provide an external dns server it works perfectly fine. Is there something I need to provide in order to get my internal dns to resolve properly?
Below is my config...any help or insight would be great.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname firewall
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_outbound permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list acl_outbound permit ip any any
access-list acl_outbound permit icmp any host x.x.x.70
access-list acl_inbound permit ip any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group acl_outbound in interface outside
access-group acl_inbound in interface inside
outbound 1 permit 192.168.3.0 255.255.255.0 0 ip
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
: end