fitzpab
asked on
DNS issue on cisco pix firewall
Hi,
This has got to be a simple setting but I can't find it. I want users to be able to access Exchange 2003 outlook web access from the same address inside the office as outside the office.
Currently they use something like https:\\outlook.asterdog.com\exchange From inside the office, this just hangs. They have to use https:\\server1\exchange which gets right in.
I can ping outlook.asterdog.com and it resolves correctly to the outside interface.
This works fine at another site but it isn't a cisco pix and less secure. Is there a setting which will fix this?
Thanks!
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password nnrqBhjuoeN1EujYGU encrypted
passwd 2KFQnbNIdI.45KYOU encrypted
hostname fw03.hw
domain-name asterdog.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 213.21.142.163 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.163 eq 3389
access-list outside_access_in permit tcp any host 213.21.142.164 eq www
access-list outside_access_in permit tcp any host 213.21.142.164 eq smtp
access-list outside_access_in permit tcp any host 213.21.142.165 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.165 eq 3389
access-list vpnrule permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap errors
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 213.21.142.162 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.2-192.168.1.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpnrule
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.21.142.163 192.168.1.251 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.164 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.165 192.168.1.201 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 21.24.132.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ntp server 209.81.9.7 source outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup VPNtunnel address-pool VPNpool
vpngroup VPNtunnel dns-server 192.168.1.10
vpngroup VPNtunnel default-domain asterdog.local
vpngroup VPNtunnel split-tunnel vpnrule
vpngroup VPNtunnel idle-time 1800
vpngroup VPNtunnel password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username mmorn password A9rtrlrLtdPYazx/ encrypted privilege 2
username rcals password i267OnOKyql2Vw5w encrypted privilege 2
username borise password breufodofi878787 encrypted privilege 2
Cryptochecksum:d4fa1866769
This has got to be a simple setting but I can't find it. I want users to be able to access Exchange 2003 outlook web access from the same address inside the office as outside the office.
Currently they use something like https:\\outlook.asterdog.com\exchange From inside the office, this just hangs. They have to use https:\\server1\exchange which gets right in.
I can ping outlook.asterdog.com and it resolves correctly to the outside interface.
This works fine at another site but it isn't a cisco pix and less secure. Is there a setting which will fix this?
Thanks!
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password nnrqBhjuoeN1EujYGU encrypted
passwd 2KFQnbNIdI.45KYOU encrypted
hostname fw03.hw
domain-name asterdog.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 213.21.142.163 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.163 eq 3389
access-list outside_access_in permit tcp any host 213.21.142.164 eq www
access-list outside_access_in permit tcp any host 213.21.142.164 eq smtp
access-list outside_access_in permit tcp any host 213.21.142.165 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.165 eq 3389
access-list vpnrule permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap errors
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 213.21.142.162 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.2-192.168.1.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpnrule
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.21.142.163 192.168.1.251 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.164 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.165 192.168.1.201 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 21.24.132.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ntp server 209.81.9.7 source outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup VPNtunnel address-pool VPNpool
vpngroup VPNtunnel dns-server 192.168.1.10
vpngroup VPNtunnel default-domain asterdog.local
vpngroup VPNtunnel split-tunnel vpnrule
vpngroup VPNtunnel idle-time 1800
vpngroup VPNtunnel password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username mmorn password A9rtrlrLtdPYazx/ encrypted privilege 2
username rcals password i267OnOKyql2Vw5w encrypted privilege 2
username borise password breufodofi878787 encrypted privilege 2
Cryptochecksum:d4fa1866769
ASKER
whoops....I haven't setup SSL yet. It's actually http they are using
They are able to access it from the public IP - domain name successfully from outside the office, but not inside the office.
They are able to access it from the public IP - domain name successfully from outside the office, but not inside the office.
That is because they cant do that. local users will have to access it with local ip only.
ASKER
How do I allow them outside access? Or modify my local dns so it redirects to it.
Local domain is asterdog.local so just putting in an A record for outlook.asterdog.local doesn't work.
Any ideas how to do this?
Local domain is asterdog.local so just putting in an A record for outlook.asterdog.local doesn't work.
Any ideas how to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
1. internal dns. Not sure how to do this. I have internal dns setup with asterdog.local I have 2 forwarders going to the ISP's External DNS servers. If I added a cname but that does the reverse. I want users to be able to type in outlook.asterdog.com (internally) and it re-direct to http://server1 The default zone is asterdog.local. I tried creating another zone for asterdog.com with these records, but when I went to a client workstation and ping tested outlook.asterdog.com, it still resolved to the external IP.
2. DNS doctoring. I'll try this when I am next onsite. I'm a little leary about re-directing IP's so I want to be able to be there and test everything and roll-back if there is a problem.
I'll update this on Friday
Thanks LRMOORE
1. internal dns. Not sure how to do this. I have internal dns setup with asterdog.local I have 2 forwarders going to the ISP's External DNS servers. If I added a cname but that does the reverse. I want users to be able to type in outlook.asterdog.com (internally) and it re-direct to http://server1 The default zone is asterdog.local. I tried creating another zone for asterdog.com with these records, but when I went to a client workstation and ping tested outlook.asterdog.com, it still resolved to the external IP.
2. DNS doctoring. I'll try this when I am next onsite. I'm a little leary about re-directing IP's so I want to be able to be there and test everything and roll-back if there is a problem.
I'll update this on Friday
Thanks LRMOORE
You could always put a hosts file entry on the PC's
192.168.1.200 outlook.asterdog.com outlook
You could script this with login script to put in everyone's local hosts file.
192.168.1.200 outlook.asterdog.com outlook
You could script this with login script to put in everyone's local hosts file.
ASKER
Thanks for the help.
None of these really worked. The DNS aliasing was a good idea but it didn't do the trick.
The host entry was a good idea but that's a problem for the laptops in the public web.
Thanks for trying. I'll just have them do what they have been doing.
Regards,
Berne
None of these really worked. The DNS aliasing was a good idea but it didn't do the trick.
The host entry was a good idea but that's a problem for the laptops in the public web.
Thanks for trying. I'll just have them do what they have been doing.
Regards,
Berne
you are using https but you havent allowed the same anywhere in access list.
second thing i need to know is that are the users trying to access this server from its public ip / nated ip?