captaintuba
Technical User
Pitfalls of using names
A nice idea – but it didn’t work for me.
I’m using 6.0(1) code on a 515 and thought using names would cut down on typos. So it would make the code easier to write and read.
I have 3 servers on a DMZ that should be accessible from the outside interface. Each has their own registered IP address.
I used these commands to define the servers by name
Then I used these commands to associate the registered IP addresses on the outside interface to the servers on the dmz.
The Outside_Access_In access list was expanded to allow the right protocols through:
However I could not get access to servers from the outside interface.
After some time of checking and rechecking my config I decided the problem was with the static command and I changed them to explicitly define the server addresses on the dmz e.g.
Guess what? It worked! I got access (to the dmz servers) from the outside straight away.
I am now curious. There are several examples on Cisco’s web site that show the use of names, so it should work.
My question is how?
Is there something I have do elsewhere i.e. on the servers?
Is it a version thing?
All I could find on the net was from Netcraftsmen.net
“The PIX does allow you to set up a hosts table as a management convenience. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing. It makes configurations much more readable but introduces another level of administration. Not only do you have to add and delete IP addresses to your configuration as you do now. But with this command, you also need to ensure that the host names match existing names.”
Hope you can help me feel better about PIX.
I've already got grey hair - I don't want to start loosing it too.
Your comments and advice appreciated.
C.T.
A nice idea – but it didn’t work for me.
I’m using 6.0(1) code on a 515 and thought using names would cut down on typos. So it would make the code easier to write and read.
I have 3 servers on a DMZ that should be accessible from the outside interface. Each has their own registered IP address.
I used these commands to define the servers by name
Code:
names
name my.dmz.lan.2 ftpserver
name my.dmz.lan.3 web1
name my.dmz.lan.4 web2Then I used these commands to associate the registered IP addresses on the outside interface to the servers on the dmz.
Code:
static (dmz1,outside) my.reg.net.123 ftpserver netmask 255.255.255.255 0 0
static (dmz1,outside) my.reg.net.124 web1 netmask 255.255.255.255 0 0
static (dmz1,outside) my.reg.net.125 web2 netmask 255.255.255.255 0 0The Outside_Access_In access list was expanded to allow the right protocols through:
Code:
…
access-list outside_access_in permit tcp any host my.reg.net.123 eq ftp
access-list outside_access_in permit tcp any host my.reg.net.123 eq ftp-data
access-list outside_access_in permit tcp any host my.reg.net.124 eq www
access-list outside_access_in permit tcp any host my.reg.net.125 eq www
…
global (outside) 1 interfaceHowever I could not get access to servers from the outside interface.
After some time of checking and rechecking my config I decided the problem was with the static command and I changed them to explicitly define the server addresses on the dmz e.g.
Code:
static (dmz1,outside) my.reg.net.123 my.dmz.lan.2 netmask 255.255.255.255 0 0
static (dmz1,outside) my.reg.net.124 my.dmz.lan.3 netmask 255.255.255.255 0 0
static (dmz1,outside) my.reg.net.125 my.dmz.lan.4 netmask 255.255.255.255 0 0Guess what? It worked! I got access (to the dmz servers) from the outside straight away.
I am now curious. There are several examples on Cisco’s web site that show the use of names, so it should work.
My question is how?
Is there something I have do elsewhere i.e. on the servers?
Is it a version thing?
All I could find on the net was from Netcraftsmen.net
“The PIX does allow you to set up a hosts table as a management convenience. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing. It makes configurations much more readable but introduces another level of administration. Not only do you have to add and delete IP addresses to your configuration as you do now. But with this command, you also need to ensure that the host names match existing names.”
Hope you can help me feel better about PIX.
I've already got grey hair - I don't want to start loosing it too.
Your comments and advice appreciated.
C.T.
