RE: RE: DNS Lookups using PIX 6.2.2 posted 11/15/2002
You need to use the alias command to "fix" the DNS response...
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Sent: Friday, November 15, 2002 12:24 PM
To: Walker, Todd; CCIElab@xxxxxxxxxxxxxx
Subject: Re: RE: DNS Lookups using PIX 6.2.2
There is one External DNS server in the 3rd parties network,
There are many inside PC's that need to do lookups on this server
We are running out of addresses for the actual DNS lookups (the
IP address received from the DNS server)
Using Static, as far as I can tell you have to map the whole
class of addresses, i.e the class C inside network 188.8.131.52 to
the class C outside network 184.108.40.206. The external company
has approx 6 class C networks that the DNS names could look up
to, therefore I would need to use 6 internal class C networks to
satisfy every possible request, whereas with a pool I would get
away with about 1 quarter of a class C.
When using the Global (inside) commands the addresses come
through unnat'ed, I mean that if I do a lookup on
fred.bloggs.com to the external DNS server from an internal PC
I get the 220.127.116.11 address come back (the real outside
address) instead of the 172.1.2.x
>I still don't get it.
>There's ONE external DNS server?
>You have many internal PC's that want to query it?
>Where are you running out of IP addresses? Internal? External
pool for NAT?
>From: djtowns@xxxxxxxxxxxx [mailto:djtowns@xxxxxxxxxxxx]
>Sent: Friday, November 15, 2002 7:15 AM
>To: Stong, Ian C [GMG]; ccielab@xxxxxxxxxxxxxx
>Subject: RE: DNS Lookups using PIX 6.2.2
>We have a bunch of PC's on our inside network, they access an
>external company via a PIX 525 firewall running 6.2.2 software.
>There is now a requirement for the PC's to perform DNS lookups
>to the 3rd party companies DNS server sat off the outside
>The problem is that we need to be able to use a global pool of
>addresses to cut down on the number of required inside
>to satisfy the DNS lookups.
> PC ---- PIX ------ DNS Server
> Inside outside
>I was expecting the following config to work - but it dosn't !!
> global (inside) 2 10.1.1.1-10.1.1.63 netmask 255.255.255.192
> nat (outside) 2 0.0.0.0 0.0.0.0 dns outside
>requests still come through un nat'ed
>>Haven't done it - but am curious what specifically you are
>trying to do?
>>Looks interesting and something I'd like to try - once I
>understand what it
>>From: djtowns@xxxxxxxxxxxx [mailto:djtowns@xxxxxxxxxxxx]
>>Sent: Friday, November 15, 2002 7:36 AM
>>Subject: DNS Lookups using PIX 6.2.2
>>Has anybody had any experience on configuring a PIX to NAT DNS
>>queries from an outside DNS server to an inside range.
>>I can get this working using static :
>>static (inside,outside) 10.1.1.0 18.104.22.168 dns netmask
>>255.255.255.0 0 0
>>however I need to get this working using the Global and NAT
>>commands to save on addressing space, has anyone had any
>>with this ???