Pix routing issues

[pelirroja]

Hi, I have configured a PIX 520 for my server room and all works fine except for the sites that have domain names registered to them. All of the static entries and conduits are good, but are not allowed access in or out of the pix.
Any of the ip's that dont have domain names are working fine in and out with static and conduits.
I have cleared xlate and rebooted everything to ensure there is no cache or tables holding info.

Any ideas?

 

[goobil]

I was having the same broblem some time ago "Check your gateway on the two computer" Point them to the firewall.

 

[308win]

is your situation that the internal addresses are private, and the external addresses are real internet addresses, and when you do a DNS query you are getting the external address from DNS, when you should be using the private address? (can you access the servers by number but not by name?)

If so you need to set up a dummy internal DNS that returns you the private address.

 

[pelirroja]

I have eliminated dns issues by trying to connedt using the public ip that the firewall converts to the private ip.
I can connect fine on any internal ip with no problem. It is only when i try to connect to ip's that have a domain name attached to them that there is no connection.

 

[chicocouk]

What are you doing to prove there is "no connection"? Pinging? Trying to get to shares? If you allow ping, then you should be able to ping the devices, as dns and domain names have nothing whatsoever to do with routing ip to ip communication.

Domain names sounds like a red herring, but you'll have to provide more information about what you're doing to test your setup, and your pix config would obviously help.

An obvious question maybe, but do the machines that "have a domain name attached to them" have a route defined on them back through the pix to your test machine? Or do they perhaps route traffic to some other gateway?

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[pelirroja]

to test for connection I try connecting to the ports opened in the acl's. i have tryed to connect with a web browser, rdp, ftp, ssh, telnet, http on non standard ports.
all of the gateways are set correctly. whether i use a live machine or a test machine its all the same.
It works fine on ip's that do not have domain names.

Just for the heck of it, I set a static for an ip with a domain name registered to it and testited it. no communication. then, i let it sit over night. by morning, everything worked fine. my ISP assures me that they have nothing caching info that would cause any type of conflicts.
so if i am willing to let all of my sites be offline for 6-10 hours, everything will work fine. I would just like to know or understand what is happening.

pix config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security50
nameif ethernet4 intf4 security50
nameif ethernet5 intf5 security50
enable password kTMJcE.ionHkS0d. encrypted
passwd xxxxxxx.xxxxxx. encrypted
hostname pix
domain-name xoxoxoxox
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.x.x.x 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
static (inside,outside) 66.x.x.x 192.168.1.50 netmask 255.255.255.0 0 0
arp timeout 14400
global (outside) 1 66.x.x.x-66.x.x.x netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip outside default version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
auth-prompt prompt =)
auth-prompt accept Welcome.
auth-prompt reject sorry
telnet timeout 5
ssh 192.168.1.3 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
username xxxx password xxxxxxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:xxxx
: end
pix(config)#