Solved

Configuring DNS for Cisco Pix 501

Posted on 2007-03-28
9
520 Views
Last Modified: 2010-04-09
When setting up a Cisco pix 501, do I need to set the DNS server for a static outside interface? For example:
I have static outside:
6.6.6.9 255.255.255.252 6.6.6.8

static inside (no DHCPD):
1.1.1.10 255.255.255.0

I want to allow all users on the inside to web browse through this pix (enabled PAT)

So I have been told by my ISP that I should set my DNS servers to x.x.x.x & x.x.x.x - where & how should I configure those numbers? I have looked over the PDM interface, and see no place to set the DNS server addresses.
0
Comment
Question by:NTNBower
  • 5
  • 4
9 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 18811429
hi there

If the PIX is not doing dhcp for you, then you don't assign the DNS addresses on the PIX for the users benefit.  The DNS servers are required for users to browse and are defined in the dhcp pool or statically on the pcs themselves.

hth
0
 

Author Comment

by:NTNBower
ID: 18811495
Right now they have a PC with two NIC cards and Zone alarm - we are trying to replace this PC with the Pix. I will test this out and let you know what I determine.

Thanks for the rapid response.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 18811702
no probs - good luck
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:NTNBower
ID: 18811719
Turns out the current set up is using WinProxy for hte users to connect. SO I would need to replace that functionality - is it possible with the PIX
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 18812234
No - the PIX is not a proxy server - its quite possible that the only reason the proxy was in place in the first instance is that you didn't have a firewall (zone alarm is no substitute for a proper hardware firewall).
In order to replace the "functionality" you need to know what you are replacing.  If the PC was acting purely as an internet gateway with very basic firewalling, then the PIX will be a far better and more secure solution than what you currently had.  You need to configure the PIX to have an inside ip (the pcs default gateway) and an outside ip on the internet.  You can then nat/pat the internal hosts to public ip and allow them out.  The PIXs ASA algorithm does not allow traffic from the outside to inside by default - unless you specifically allow it.  All traffic is allowed out by default - unless you dictate otherwise, so you have a great control on what your users and public ip can do.
You also have vpn client/pptp termination, hosting, dhcp and a range of other options open to you.  If you are unsure on how to setup the PIX, go into the PDM wizard and follow the steps - or post your config (with passwords removed) and we can assist.

cheers
0
 

Author Comment

by:NTNBower
ID: 18813111
So to continue with this operation, about all they could do is replace zone alarm with the Pix, and then they would need to keep the proxy - so:

Internet >> Cisco Pix >> PC with WinProxy >> Internal network

Currently, there are only a handful of users in my network that are the ones using this connection (it is controlled). The rest are going through the default GW for the entire network. Would it be possible to use the PIX if each individual PC were configured to use the PIX for web & GW for everything else? Then we could eliminate the need for the proxy?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 18813299
Yes - I would use the pix as gateway and get rid of the proxy server.  
0
 

Author Comment

by:NTNBower
ID: 18815480
I knew something was not right and would not work - just could not put my finger on it. I think we have it now and I believe I could use the PIX, but would need to:

Set on all local PC's wanting to use it:
Set PIX as GW
Set DSN for other side of GW (e.g. ISP)
and set up a Static route for the Local WAN/LAN to use the other GW

Thanks for helping me see the forest through the trees - some times it gets foggy in there!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 18819652
no probs - you have it sussed right there ^^.  cheers
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question