new DNS server behind two pix's

Discussion in 'Cisco' started by barret bonden, Aug 21, 2006.

  1. Below are two (edited) runing pix configs - a main and a brach office.
    I've been asked to create a new secondary DNS server for the brach on it's
    local lan. The primary DNS
    server is sitting on a Windows 2003 server on the main office's :LAN. I
    feel this is mostly politics and not not driven by bandwidth issues - but
    in any event, does anyone see likely probelms here ? Is there anything about
    these PIX configs that sould get in the way of DNS records being moved from
    one DNS server to another ?

    //main office
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50

    fixup protocol dns maximum-length 1024
    no fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list 101 permit ip 10.0.1.0 255.255.255.0 192.168.111.0
    255.255.255.0side permit tcp a

    mtu outside 1500
    access-list acl-outside permit icmp any any
    mtu DMZ 1500nd h
    access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq
    smtp255.255.240ttp Configure HTTP server
    access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq pop3p address
    inside 10.0.1.1 255.255.255.0onfigure access for ICMP tra
    access-list acl-outside permit tcp any host xxx.xxx.xxx.211 eq www
    ip address DMZ 192.168.10.1 255.255.255.
    access-list acl-outside permit tcp any host xxx.xxx.xxx.212 eq ftp-dataace
    Set network i
    access-list acl-outside permit tcp any host xxx.xxx.xxx.212 eq ftp
    ip local pool pool 192.168.111.1-192.168.111.250
    access-list acl-outside permit tcp any host xxx.xxx.1 Clear or displ
    static (inside,outside) xxx.xxx.xxx.211 10.0.1.99 netmask 255.255.255.255 0
    55.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500st Display
    mtu DMZ 1500 local host
    ip address outside xxx.xxx.xxx.210 255.255.255.240
    static (inside,outside) xxx.xxx.xxx.213 10.0
    ip address inside 10.0.1.1 255.255.255.0
    ip address DMZ 192.168.10.1 255.255.255.0 Enable logging facility
    ip audit info action alarm
    static (inside,outside) 2
    ip audit attack action alarmask 255.255.255.255 0 0
    ip local pool pool 192.168.111.1-192.168.111.
    map

    global (DMZ) 1 192.168.10.254:00rotocol fixu
    nat (inside) 0 access-list 101th 0:05:00 absoluteMPUTER SYST
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    aaa-server TACACS+ pr
    nat (DMZ) 1 192.168.10.0 255.255.255.0 0 0
    static (inside,outside) xxx.xxx.xxx.211 10.0.1.99 netmask 255.255.255.255 0
    0POSES.
    static (inside,outside) xxx.xxx.xxx.213 10.0.1.213 netmask 255.255.255.255 0
    0
    aaa-server RADIUS protocol radius**
    static (inside,outside) xxx.xxx.xxx.212 10.0.1.96 netmask 255.255.255.255 0
    0

    Pass

    crypto ipsec t
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00ssions
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00-set myset1 esp-aes-256
    esp-sha-hmacon State
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+pto dynamic-map dynmap 30 set trans
    aaa-server TACACS+ max-failed-attempts 3DES 4 -
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radiusmap mymap 10 ipsec-isakmp
    aaa-server RADIUS max-failed-attemptsap mymap 10 ma
    http 10.0.1.0 255.255.255.0 inside
    no snmp-server location.xx.xxx.xxx 1.5
    no snmp-server contact
    crypto map mymap
    snmp-server community public
    no snmp-server enable traps address xxx.xxx.xxx.50 netm
    floodguard enable5 no-xauth
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    isakmp id
    crypto ipsec transform-set myset1 esp-aes-256 esp-sha-hmac-traversal 20
    isakmp policy 10 auth
    crypto dynamic-map dynmap 30 set transform-set myset1
    isakmp po
    crypto map mymap 10 ipsec-isakmp**********************
    crypto map mymap 10 match address 100
    isakmp policy 10 has
    isakmp enable outside
    Type h
    isakmp key ******** address xxx.xx.xxx.50 netmask 255.255.255.255 no-xauthup
    vpn3000 split-
    console timeout 0-v] <regular_exp
    isakmp identity address
    username su
    isakmp nat-traversal 20CFx7668 encrypted privi
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool pool
    vpngroup vpn3000 dns-server 10.0.1.99
    vpngroup vpn3000 wins-server 10.0.1.160
    vpngroup vpn3000 split-tunnel splittunnel
    vpngroup vpn3000 idle-time 4800
    vpngroup vpn3000 password ********
    telnet 10.0.1.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0

    -----------------------
    =========================================
    ------------------------


    //branch office
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50

    fixup protocol dns maximum-length 1024
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
    access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.115.0 255.255.255.0
    access-list acl-outside permit icmp any any
    access-list acl-outside permit tcp any host xxx.xx.xxx.56 eq 3389
    access-list acl-outside permit tcp any any eq pptp
    access-list acl-outside permit gre any any
    access-list splittunnel permit ip 10.0.0.0 255.255.255.0 192.168.115.0
    255.255.2
    55.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside xxx.xx.xxx.50 255.255.255.240
    ip address inside 10.0.0.1 255.255.255.0
    ip address DMZ 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pool 192.168.115.1-192.168.115.250
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 xxx.xx.2
    global (DMZ) 1 192.168.1.230-192.168.1.253
    global (DMZ) 1 192.168.1.254
    nat (inside) 0 access-list 101
    nat (inside) 1 10.0.0.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (DMZ) 1 192.168.1.0 255.255.255.0 0 0
    static (inside,outside) xxx.xx.xxx.56 10.0.0.99 netmask 255.255.255.255 0 0
    access-group acl-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 30 set transform-set myset
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 100
    crypto map mymap 10 set peer xxx.xxx.170.210
    crypto map mymap 10 set transform-set myset
    crypto map mymap 65535 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable
    isakmp key ******** address xxx.xxx.xxx.210 netmask 255.255.255.255 no-xauth
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool pool
    vpngroup vpn3000 dns-server 4.2.2.2
    vpngroup vpn3000 split-tunnel splittunnel
    vpngroup vpn3000 idle-time 4800
    vpngroup vpn3000 password ********
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    dhcpd address 10.0.0.100-10.0.0.150 inside
    dhcpd dns 10.0.1.99
    dhcpd wins 10.0.1.160
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    barret bonden, Aug 21, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly
    Replies:
    2
    Views:
    3,170
    Corbin O'Reilly
    May 26, 2004
  2. Lars Bonnesen
    Replies:
    9
    Views:
    7,182
    chris
    Apr 8, 2006
  3. JPElectron
    Replies:
    7
    Views:
    963
    Walter Roberson
    Nov 16, 2006
  4. Replies:
    1
    Views:
    1,059
    Rohan
    Nov 18, 2006
  5. Peter Simons

    DNS behind ASA server

    Peter Simons, Jan 22, 2007, in forum: Cisco
    Replies:
    4
    Views:
    933
    Peter Simons
    Jan 23, 2007
Loading...

Share This Page