Solved

Pix 501 - Allowing Routing of Public IP address

Posted on 2004-09-02
6
238 Views
Last Modified: 2013-11-16
Kind of an odd question:

I am currently participating in a thread i started at the cisco website. This is:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd647db/0#selected_message

I will split the points between anyone who can add any useful, relevant information to help resovle the thread contained therein. You need not post back there if you are not registered - a reply here would do.

Many thank,
Daniel
0
Comment
Question by:danielwatts
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 20 total points
ID: 11968696
Hi Daniel

Im confused? do you have NO DNS on your LAN? if so why is s1 not querying your internal DNS its A record will return an internal address?


plus your comment

>>entered a line eg 64.1.2.34 s1.host.com

your host file is queried before the client tries to resolve DNS (after the internal cache has been searched)
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11968803
In response:

No all of our DNS is hosted by a 3rd party. No DNS is running locally (except maybe a forwarder that just caches responses). Having internal DNS was an option but requires administration of the DNS thereafter. If we could fix the problem globally at the firewall it would be better.

The query order is set in nsswitch.
Currently mine is:
hosts:      files nisplus nis dns
so you are correct. /etc/hosts is queried before dns. This is how I am patching the problem for the moment!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 80 total points
ID: 11969849
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Accepted Solution

by:
tevens earned 100 total points
ID: 11990088
DNS doctoring (alias/dns) would work if the DNS response was forwarded through the firewall.  So using alias or the dns keyword on a static might not do the trick because it depends where the DNS server was/is.

To answer the main question; the pix will not forward traffic back out the same interface it heard it from.  This could open a hole in the firewall and thus compromise the security.  So the two answers that exist are to use DNS doctoring providing the DNS server responses go through the firewall or use two interfaces on the firewall.  Note that not even routers will NAT on the same interface.

--Tim
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11990318
Guys thank you very much.

As it turns out the host must have just forgotten to clear xlate or something. The dns translation now works. Dig's to remote DNS servers now correctly return the translated internal IP address. Everything is dandy =)

The two interfaces on the firewall trick sounds clever - will remember that.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11990643
ThanQ
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question