Hi all,
I have seen some configurations that use the ALIAS command to solve the
problem you are having. That said, I do not recommend it as a
solution. The most reliable solution I have seen is to have the internal
users use a different name for the web server, such as
www-internal.company.com, and have that name resolve to the local intranet
address of the webserver, rather than the externally available static
address.
The PIX does not permit internal hosts to connect to the external
addresses. This is a byproduct of the NAT function. The ALIAS command
'adjusts' the DNS responses to the clients for the specified static.
Hope that helps,
Lisa Napier
Cisco Systems
At 02:04 PM 9/24/1999 -0600, Edder Espinosa wrote:
>Hi everybody,
>
>First of all I want to congratulate all of you for the professionalism
>and helpful knowledge you share in this Forum... I have just been a
>reader of all your experiences for 3 years... and know i need your
>help...
>
>This is my net,
>
> PIX-Fw (Failover)
>Site A: Intranet--------Router--------PIX-Fw------- Internet
>(207.x.x.x)
> (172.x.x.x) |
> |
> DNS (DMZ)192.x.x.x
>
>
>And this is my problem,
>
>I have just moved my DNS to a DMZ on a PIX firewall... The firewall has
>a conduit from the internet by a static NAT ip address...
>
>All my PC's on my intranet have as primary DNS the one from the DMZ...
>and reach the internet by dynamic NAT translation...
>
>When the users want to go to any place to the internet there's no
>problem... but when they want to go to our own WWW page the DNS look for
>the address (207.x.x.x) and can't reach it... it looks like the PIX do
>not permit to see the static address from a dynamic address on the same
>net.
>
>Do any one know if there's something else i have to configure on the PIX
>so it can let the dynamic addresses to see the static address????....
>
>BTW, On my DNS server I can�t announce the internal address because the
>NIC take as primary DNS both addresses the static and the internal...
>and we were monitoring the NIC's DNS and it switch both addresses so it
>make a delay to all in the internet who want to reach our Web because
>they can't fine the internal address...
>
>I hope I'm clear... sorry my few English...
>
>I wait for your comments... thanks in advance..
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
