PIX Firewall and No-NAT

From: Doug (d_mccrea_at_yahoo.com)
Date: 02/02/04

• Next message: end user too: "TCP/IP ports for MyDoom?"
• Previous message: ClareOldie: "Re: Two computers on DSL box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 2 Feb 2004 10:44:46 -0800

I have a rather bizarre setup, but am required to do so by the
university I work for. I have two Windows 2000 Active Directory-based
domain controllers. Each of these is running DNS. One of the domain
controllers is behind a Cisco PIX firewall and is NAT'd. One is on
another subnet a few router hops away. The majority of my servers are
behind this firewall and all are NAT'd, my workstations are in front
of the firewall in a number of subnets. I would like to switch the DNS
Server/Domain Controller to an un-NAT'd IP so that I no longer have
any issues with DNS. (I am using DNS rewrite and referencing my DNS
server outside the PIX which solves most of the problems, but not
all).

My proposal is this:

Router
|
External.IP (outside interface) (x.x.x.195)
|
PIX-------------------------
| |
NAT Domain Controller/DNS w/External.IP (inside interface)
(x.x.x.195)
|
System with Internal IP's (inside interface) (192.168.1.x)

I would also like the internal IP's to be able to communicate with the
External IP on the inside interface.

I tried setting this up and was unsuccessful. Do I have to set up an
additional Interface to do this? If so, we're using 802.1Q at the
university I work for and I noticed that I was required to set up an
additional VLAN on the new Interface, can this be bypassed, or can I
use the same VLAN #? I don't want to cause any conflicts and I do not
have control of the Rutgers I'm downstream from. I've used the
following commands:

Currently, I'm using one access-group: access-group acl_grp in
interface outside

static (inside,outside) x.x.x.195 x.x.x.195 netmask 255.255.255.255
access-list acl_grp permit ip any host x.x.x.195

I assume I have to set up a route. What should that look like? Any
help would be appreciated.

---

• Next message: end user too: "TCP/IP ports for MyDoom?"
• Previous message: ClareOldie: "Re: Two computers on DSL box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Multi-homed Active Directory Domain Controller ... > We currently have two domain controllers in our domain. ... > auto-registers both IPs in DNS. ... address and act like one interface. ... Network Properties and select Bridge connections. ... (microsoft.public.windows.server.dns) Re: Multi-homed Active Directory Domain Controller ... > We currently have two domain controllers in our domain. ... > auto-registers both IPs in DNS. ... address and act like one interface. ... Network Properties and select Bridge connections. ... (microsoft.public.windows.server.networking) Re: Multi-homed Active Directory Domain Controller ... > We currently have two domain controllers in our domain. ... > auto-registers both IPs in DNS. ... address and act like one interface. ... Network Properties and select Bridge connections. ... (microsoft.public.windows.server.active_directory) Re: Internet Access problems in Fedora Core 4 ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ... (comp.os.linux.misc) Re: DNS Registration on a domain controller ... We disabled the listening on the wrong interface for the DNS server. ... When only TCP/IP is bound to the NetCard2, domain users can't log in on ... "Register this connection's addresses in DNS" is already uncheck on ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)