Re: Cisco Pix and Static routing

Sun, 26 Mar 2000 23:57:40 -0800 

On 24 Mar 00, at 15:19, John Adams wrote:

> Nope, the alias command manipulates dns packets that are returning from
> the outside when an inside host requests host name resolution from an
> external DNS server.

Just to clear things up, I have a PIX with 4 interfaces. My DNS servers are on 
the same interface ("dmz") as my web and mail servers, not on the outside. 
The alias command not only changes packets from these DNS servers back 
to the inside but also allows me to use the global outside static mapped 
addresses for the hosts in my "dmz" segment and automatically reroutes the 
packets to the correct hosts, whether using DNS, http, ping, whatever. So in 
this case the alias command is doing more than it first appears, and I can 
verify it by removing it - my inside users then can't use my outside 
addresses to get at my "dmz" servers.
 
> I'm looking at something where the DNS server is still on the inside, and
> you ricochet the dns request off the PIX. If this is how it works
> currently and I'm wrong, I should go back and reconfigure my PIX, but I
> don't think this is how it works.

How would tell your hosts to ricochet requests off the PIX? They only pass 
packets to the PIX when they are making a request for an IP address that 
isn't inside your network, that's a TCP/IP property not a PIX configuration 
option. What you could do is move your DNS servers to another interface of 
the PIX (not outside) and then the PIX can modify the packets when 
requested. I don't think you can set up statics to the inside so that you use 
the outside (or 3rd interface) addresses for your DNS setup to make the 
requests which would then pass into the PIX, and have it redirect the packets 
back to the inside DNS server, as the PIX doesn't appear to allow packets to 
have a source and destination on the same interface. But I haven't tried this, 
so I don't know for sure. I agree that the alias command needs more 
capabilities as it could be really powerful except that it's restricted to use 
only for requests from a high security level to a lower level.

Dan

---
D.C. Crichton                 email: [EMAIL PROTECTED]
Senior Systems Analyst        tel:   +44 (0)121 706 6000
Computer Manuals Ltd.         fax:   +44 (0)121 606 0477

Computer book info on the web:
   http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
   http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to