Re: DNS Lookups using PIX 6.2.2

From: P729 (p729@cox.net)
Date: Sat Nov 16 2002 - 00:39:39 GMT-3

• Next message: Nathan Kleven: "RE: IOS 12.1 Documentation in PDF format"
• Previous message: Ron: "Are there any Routopia Labs forum out there ?"
• Maybe in reply to: djtowns@webtribe.net: "DNS Lookups using PIX 6.2.2"
• Next in thread: Yonkerbonk: "RE: DNS Lookups using PIX 6.2.2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You may want to investigate using the 'alias' command. Avoid the PIX
documentation on this command (it's the worst!) but check out the TAC notes.

How you apply the 'alias' command will depend on where the target host
resides in relation to the resolvers (clients). For example, if you have a
simple inside/outside setup and the target host is on the inside, you'll
want to do "DNS doctoring" (similar to what you did with the 'dns' keyword
in the 'static' command). If the target host is on a DMZ, then you'll want
to do "destination NAT."

If you do destination NAT with the 'alias' command, note that it may affect
ACLs you might have on the related interfaces. For example, say you had
inside, outside and a DMZ and a server on the DMZ. DNS is external--internal
users looking up the DMZ server by name will receive the globally-unique
(public) address in the reply (DNS is not doctored in this case). You would
use the 'alias' command on the inside interface so that when the internal
user starts a connection towards the public destination address it is
translated to the appropriate private address. Unlike any ACLs you may have
on the DMZ interface for traffic headed to the outside, ACLs on the DMZ
interface for controlling traffic destined for the inside will need to
reference the public address as the source address--as if the 'alias'
command had created a 'static' translation.

Regards,

Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: <djtowns@webtribe.net>
To: <ccielab@groupstudy.com>
Sent: Friday, November 15, 2002 4:36 AM
Subject: DNS Lookups using PIX 6.2.2

Has anybody had any experience on configuring a PIX to NAT DNS
queries from an outside DNS server to an inside range.

I can get this working using static :

static (inside,outside) 10.1.1.0 204.12.8.0 dns netmask
255.255.255.0 0 0

however I need to get this working using the Global and NAT
commands to save on addressing space, has anyone had any success
with this ???

Thanks

Dyls

• Next message: Nathan Kleven: "RE: IOS 12.1 Documentation in PDF format"
• Previous message: Ron: "Are there any Routopia Labs forum out there ?"
• Maybe in reply to: djtowns@webtribe.net: "DNS Lookups using PIX 6.2.2"
• Next in thread: Yonkerbonk: "RE: DNS Lookups using PIX 6.2.2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:01 GMT-3