506E / Multiple Servers / 2600 w/ T1s

Irmoore: it's really wierd...  i went by your changes (i acutally got the UDP DNS one working right after i posted) ... but i can't get any of the otehr static/access-lists to work.  they don't even hit the access-list count

static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255

access-list out_in permit tcp any host 70.241.39.10 eq http (did www also)

this should pull up an apache webpage on the linux machine...

i even did

access-list out_in permit tcp any host 70.241.39.25 eq http (did www also)
and i have IIS6 running w/ a default webpage running (i can get to it form inside) and when i go http://70.241.39.25 it times out and pulls nothing up...  it's really strange?

Thanks,
Nick

What is the default gateway of the apache server? Is it 10.8.1.1 ???
Same with the IIS server ...

ahh **** nm irmoore - it works... just i can't go to those IPs from inside pix.. i guess they don't go out pix and then back in?  is there a way i can make it work from inside pix?  make sense?

So that when i go to http://ipaddressofthings or http://mail.mydomain.com which resolves to the same ip that it pulls up when i'm on a machine behind the pix?

Thanks,
Nick

If you want to do it from inside the pix?
Use Alias and DNS Doctoring:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Let me know if you can't access that link. Do you have a CCO login?

irmoore, i dont have CCO login - i did at one time and i don't know where the username/pass is to save my life.  can you email the article to me?  ndozier@uark.edu

Thanks.

Try this:

http://24.215.255.213/Alias.pdf

I'll shut off access in an hour...

You might have to use this link...
http://24.214.255.213/alias.pdf

it appears that IIS6 may be case-sensitive on the file name. I'm no Web guru...

irmoore - trying to download... doesn't seem to be going through.

Check your email then..

Okay irmoore - one last problem.. i think it's possibly pix related as i've tried troubleshooting all of our networks here.  Here is the 99% working config.  What's going on now.. is that my AD/DNS Server 10.8.1.2 and the other "servers" are having problems talking to each other and i think it may be an alias or static thing but i'm not sure.  It seems any computer that i have a static assigned to will start to drop packets on the inside of the network.  example:

I have 2 desktops in house that are just dhcp workstations... they can ping each other all day long, the servers can ping them just fine, no problems.  if i try and ping the servers from a workstation the server(s) will respond maybe 1 time and time out the rest...  but - from the server to the workstation the workstation replies every time.  Also, from server to server some servers can talk to each other, some can't... it's really strange.  Any help would be appreciated.

Thanks,
Nick

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password asdfencrypted
passwd asdf encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit udp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.25 eq www
access-list out_in permit tcp any host 70.241.39.10 eq www
access-list out_in permit tcp any host 70.241.39.30 eq smtp
access-list out_in permit tcp any host 70.241.39.30 eq 143
access-list out_in permit tcp any host 70.241.39.30 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq smtp
access-list out_in permit tcp any host 70.241.39.10 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq 143
access-list out_in permit tcp any host 70.241.39.47 eq www
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.8.1.107 70.241.39.10 255.255.255.255
alias (inside) 10.8.1.2 70.241.39.25 255.255.255.255
alias (inside) 10.8.1.4 70.241.39.30 255.255.255.255
alias (inside) 10.8.1.12 70.241.39.47 255.255.255.255
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.30 10.8.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.47 10.8.1.12 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.38.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 100
Cryptochecksum:67f28d9d0cbbc082d23239daa65607de
: end
[OK]

Did you notice the very small notation in the alias document that you must disable proxyarp?

sysopt noproxyarp inside

lrmoore: once again - you're the man :)  - who reads fine print?

Thanks,
Nick