GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: 'static' command with 'dns' keyword posted 08/22/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


That's a good question and I'm not completely certain of the answer without
labbing it up (which wouldn't be a bad idea).

CCO is a little sketchy about Transparent NAT for your example exactly.  My
guess is that "fixup protocol dns" and the "dns" keyword on the static is
enough to accomplish resolution of the DMZ web server.  It looks like Cisco
is distancing itself from use of the "alias" command.

Again, a test lab would be the best idea.

-----Original Message-----
From: 910T
To: CCIESec
Sent: 8/21/2002 6:57 PM
Subject: 'static' command with 'dns' keyword

With PIX 6.2, DNS translation can be handled "automatically" without
having to
use the 'alias' command.

But let's say I have a DMZ server and a 'static' command with 'dns'
keyword
set up between the DMZ and the outside. The DNS server is on the
outside.
Users are on the inside. The DMZ and inside use private address spaces.

When a user on the inside issues a DNS request for the DMZ server, the
reply
will contain the public address for the DMZ server. Does anyone know if
the
DNS reply will be translated by the PIX on its way back to the user on
the
inside? Or will I still have to implement "destination NAT" using the
'alias'
command on the inside interface because the reply to the inside will
remain
unaltered?

The reason I ask is, the address that needs to be translated is on the
DMZ
(which is taken care of by the 'static' command between the DMZ and the
outside, so the PIX knows there's a translation taking place), but the
DNS
requests and replies in this scenario are coming from and going to the
inside.

Thanks in advance for any insight or sharing your experience.

Regards,

Mas Kato
https://ecardfile.com/id/mkato
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY