Re: [FW1] NATing DNS queries payload ONLY

Wed, 09 Aug 2000 15:21:54 -0700 


CT,
The point of "NAT"-ing dns requests is that if your network is using
official addresses which belongs to another company, you won't be able to
establish communications with that company because the client will believe
that you're trying to contact a local address. The PIX solves this by
replacing any DNS replies from that domain with unofficial addresses (i.e.
10.x.x.x / 172.16-31.x.x / 192.168.x.x), and also translates communications
to that domain. Your client woiuld believe that this site has an unofficial
address which will be routed to the firewall, the firewall translates this
request to the real addresses and you don't have such a problem anymore. 

Of course it's better to change your own addresses to RFC1918-addresses or
legal addresses that you own, but that's often quite a complicated job
compared to this pix setup.

Lars

-----Opprinnelig melding-----
Fra: Christine Tran [mailto:[EMAIL PROTECTED]]
Sendt: 9. august 2000 16:39
Til: [EMAIL PROTECTED]
Emne: Re: [FW1] NATing DNS queries payload ONLY


This sounds like one head-spinning set up.  Have no idea why
you want to do it this way, this is a zillion times harder than
changing your routes.  First, you do not want to mess with
DNS answers.  Why querry, and then mask the answer with one
of your own.  If the answer is x.y.z.z, make sure your FW
can get to x.y.z.z instead of making x.y.z.z look like something
else.  Don't know your ISP set up, but you should have rails
connecting you to your ISP POS routers.  On your FW you should
set this as the default route.  For your internal network
have a routing table, static or use gated, it's free.  Wherever
x.y.z.z is, when a packet hits your FW with the destination 
x.y.z.z, it will default to go to your ISP routers & to the
big Internet cloud.

CT



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to