Solved

Pix 501 - Allowing Routing of Public IP address

Posted on 2004-09-02
6
245 Views
Last Modified: 2013-11-16
Kind of an odd question:

I am currently participating in a thread i started at the cisco website. This is:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd647db/0#selected_message

I will split the points between anyone who can add any useful, relevant information to help resovle the thread contained therein. You need not post back there if you are not registered - a reply here would do.

Many thank,
Daniel
0
Comment
Question by:danielwatts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 20 total points
ID: 11968696
Hi Daniel

Im confused? do you have NO DNS on your LAN? if so why is s1 not querying your internal DNS its A record will return an internal address?


plus your comment

>>entered a line eg 64.1.2.34 s1.host.com

your host file is queried before the client tries to resolve DNS (after the internal cache has been searched)
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11968803
In response:

No all of our DNS is hosted by a 3rd party. No DNS is running locally (except maybe a forwarder that just caches responses). Having internal DNS was an option but requires administration of the DNS thereafter. If we could fix the problem globally at the firewall it would be better.

The query order is set in nsswitch.
Currently mine is:
hosts:      files nisplus nis dns
so you are correct. /etc/hosts is queried before dns. This is how I am patching the problem for the moment!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 80 total points
ID: 11969849
0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 
LVL 1

Accepted Solution

by:
tevens earned 100 total points
ID: 11990088
DNS doctoring (alias/dns) would work if the DNS response was forwarded through the firewall.  So using alias or the dns keyword on a static might not do the trick because it depends where the DNS server was/is.

To answer the main question; the pix will not forward traffic back out the same interface it heard it from.  This could open a hole in the firewall and thus compromise the security.  So the two answers that exist are to use DNS doctoring providing the DNS server responses go through the firewall or use two interfaces on the firewall.  Note that not even routers will NAT on the same interface.

--Tim
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11990318
Guys thank you very much.

As it turns out the host must have just forgotten to clear xlate or something. The dns translation now works. Dig's to remote DNS servers now correctly return the translated internal IP address. Everything is dandy =)

The two interfaces on the firewall trick sounds clever - will remember that.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11990643
ThanQ
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 NAT question 8 126
how  to upgrade  to windows 10 56 148
Access shared drive during VPN session 9 121
centos7 firewalld udp ports 33 105
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question