Sorry if you get this twice or thrice...problem with outlook and dates... Hi, all,
I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69759&t=69759 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
