you said all that needed to be said... basically, udp port 53 needs to be allowed through (tcp for zone xfers) so if you have a static translation to a dns server in a dmz from the outside you acl would look similar to this. (pix)
access-list outside permit udp any host 63.203.193.205 eq 53 with a static statement of static (inside,outside) 63.203.193.205 10.70.48.50 netmask 255.255.255.255 0 0 for hosts on the inside interface (or a higher security interface) that need to access dns on the internet, a nat and global statement are needed (perhaps with an overload switch) in which case the state of the connection woud be kept up within the firewall and will look similar to this. PAT Global 63.203.193.205(59378) Local 10.11.51.90(1058) -Patrick >>> "Phil" 12/18/01 11:12AM >>> John- specifically what is your question ??? I've had to do a lot of DNS related research these past few months (using Meta, Garner, White Papers, Berkley, Microsoft, etc.), but I don't believe I have seen specific issues with NAT and DNS. The Firewalls must be configured to pass UDP port 53 and can enforce an access-list only to allow certain servers (say the ISPs primary and yours), TSIG (BIND), or to proxy. With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT portion plays no roll. As the query moves, @ no time should the DNS server being polled need to cache the resolver's information (does this makes sense ???). I guess, what I am trying to say is that it does not matter is I am requesting from a global IP address or a private 10.0.0.0 address. If your lookup is recursive or iterative, the firewall has a state table, NAT statistics, or a PAT lookup (UNIX programs refer to it as IP Masquerading), mapping it back to the resolver (be it PC or file server) that initiated the lookup. I believe I may not have answered your question Let me know- I never was asked to deliver my DNS presentation and Im still miffed Ive been studying such a boring subject as of late :-) Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tafasi Sent: Tuesday, December 18, 2001 3:37 AM To: [EMAIL PROTECTED] Subject: CCIE Written: DNS and NAT [7:29461] Does any body have good resource that explains how NAT on the firewall works with DNS? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29484&t=29461 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
