From: Anthony M Macaluso (amacaluso@tkmnetworks.com)
Date: Fri Nov 15 2002 - 15:30:04 GMT-3
You need to use the alias command to "fix" the DNS response...
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_t
ech_note09186a0080094aee.shtml
HTH,
Tony
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
djtowns@webtribe.net
Sent: Friday, November 15, 2002 12:24 PM
To: Walker, Todd; CCIElab@groupstudy.com
Subject: Re: RE: DNS Lookups using PIX 6.2.2
There is one External DNS server in the 3rd parties network,
There are many inside PC's that need to do lookups on this server
We are running out of addresses for the actual DNS lookups (the
IP address received from the DNS server)
Using Static, as far as I can tell you have to map the whole
class of addresses, i.e the class C inside network 172.1.2.0 to
the class C outside network 204.56.3.0. The external company
has approx 6 class C networks that the DNS names could look up
to, therefore I would need to use 6 internal class C networks to
satisfy every possible request, whereas with a pool I would get
away with about 1 quarter of a class C.
When using the Global (inside) commands the addresses come
through unnat'ed, I mean that if I do a lookup on
fred.bloggs.com to the external DNS server from an internal PC
I get the 204.56.8.6 address come back (the real outside
address) instead of the 172.1.2.x
Dyls
>I still don't get it.
>
>There's ONE external DNS server?
>You have many internal PC's that want to query it?
>Where are you running out of IP addresses? Internal? External
pool for NAT?
>
>-----Original Message-----
>From: djtowns@webtribe.net [mailto:djtowns@webtribe.net]
>Sent: Friday, November 15, 2002 7:15 AM
>To: Stong, Ian C [GMG]; ccielab@groupstudy.com
>Subject: RE: DNS Lookups using PIX 6.2.2
>
>
>We have a bunch of PC's on our inside network, they access an
>external company via a PIX 525 firewall running 6.2.2 software.
>
>There is now a requirement for the PC's to perform DNS lookups
>to the 3rd party companies DNS server sat off the outside
>interface.
>
>The problem is that we need to be able to use a global pool of
>addresses to cut down on the number of required inside
addresses
>to satisfy the DNS lookups.
>
>
> PC ---- PIX ------ DNS Server
> Inside outside
>
>I was expecting the following config to work - but it dosn't !!
>
> global (inside) 2 10.1.1.1-10.1.1.63 netmask 255.255.255.192
> nat (outside) 2 0.0.0.0 0.0.0.0 dns outside
>
>requests still come through un nat'ed
>
>Help !!!!!
>
>>Haven't done it - but am curious what specifically you are
>trying to do?
>>Looks interesting and something I'd like to try - once I
>understand what it
>>means :)
>>
>>
>>-----Original Message-----
>>From: djtowns@webtribe.net [mailto:djtowns@webtribe.net]
>>Sent: Friday, November 15, 2002 7:36 AM
>>To: ccielab@groupstudy.com
>>Subject: DNS Lookups using PIX 6.2.2
>>
>>
>>Has anybody had any experience on configuring a PIX to NAT DNS
>>queries from an outside DNS server to an inside range.
>>
>>I can get this working using static :
>>
>>static (inside,outside) 10.1.1.0 204.12.8.0 dns netmask
>>255.255.255.0 0 0
>>
>>however I need to get this working using the Global and NAT
>>commands to save on addressing space, has anyone had any
>success
>>with this ???
>>
>>Thanks
>>
>>Dyls
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:01 GMT-3