At 09:26 AM 03/18/2000 +0100, Diederick van Dijk wrote:
>On Sat, 18 Mar 2000, Lisa Napier wrote:
> > Hi Diederick,
> >
> > There are two ways to go about this. One is to configure an additional
> DNS
> > MX record with a low value, for your internal clients only. This MX
> record
> > would point to the actual address of the machine (10.x.x.3). Other
> clients
> > won't use that MX record, as the address is unreachable, and they will use
> > the next higher preference record.
>
>Thanks for your quick reply. This solution is dirty one and it crossed my mind
>but because it's so dirty I don't wanna use it.
>
> >
> > The other way is to use the alias command on the PIX. I needed to read
> the
> > documentation several times before I understood how the command works, and
> > the behavior has changed depending on the version you are using. So,
> check
> > your manual for the version you are using, for the alias command syntax
> and
> > usage.
> >
>Yes, I've the same problem. The explanation of the alias command makes no
>sense
>to me. Maybe you can help me. We have PIX IOS 4.2(5).
Okay, this will only work with a 2 interface PIX, additional complexity is
added in using the 3 or more interfaces.
alias 10.x.x.c 193.79.xx.c 255.255.255.255
for your configuration. However, I've just noted that this WILL NOT work.
- 193.79.xx.a 'static routes' to 10.x.x.1 (DNS)
- 193.79.xx.b 'static routes' to 10.x.x.2 (WWW)
- 193.79.xx.c 'static routes' to 10.x.x.3 (mail)
Why? Because this method causes the DNS queries to be 'fixed up' across
the PIX. So the DNS responses to a query for an MX record must go through
the PIX. In your case, your DNS server is on the INSIDE, so its responses
will not go through the PIX. You're still out of luck for this solution,
and you'll need to go to two DNS servers, or the 'dirty' solution above.
Apologies I missed this detail last night. :(
Thanks much,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024
>Thanks in advance,
>
>------------------------------------------------------------------------------
>Diederick van Dijk
>Homepage: http://www.van-dijk.net
>Linux Documentation: http://cpqlin.van-dijk.net
>- Manager of Compaq And Linux Mailing List (see my homepage)
> (subscribe at [EMAIL PROTECTED])
>- Paper about installing Red Hat on a Compaq with a Smart Array Controller
>- Mini-Howto Linux PPP to NT with MS Chap and callback
>---------------------------------------------------------------------------
>---
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
