Solved

Pix 501 - Allowing Routing of Public IP address

Posted on 2004-09-02
6
235 Views
Last Modified: 2013-11-16
Kind of an odd question:

I am currently participating in a thread i started at the cisco website. This is:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd647db/0#selected_message

I will split the points between anyone who can add any useful, relevant information to help resovle the thread contained therein. You need not post back there if you are not registered - a reply here would do.

Many thank,
Daniel
0
Comment
Question by:danielwatts
6 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 20 total points
ID: 11968696
Hi Daniel

Im confused? do you have NO DNS on your LAN? if so why is s1 not querying your internal DNS its A record will return an internal address?


plus your comment

>>entered a line eg 64.1.2.34 s1.host.com

your host file is queried before the client tries to resolve DNS (after the internal cache has been searched)
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11968803
In response:

No all of our DNS is hosted by a 3rd party. No DNS is running locally (except maybe a forwarder that just caches responses). Having internal DNS was an option but requires administration of the DNS thereafter. If we could fix the problem globally at the firewall it would be better.

The query order is set in nsswitch.
Currently mine is:
hosts:      files nisplus nis dns
so you are correct. /etc/hosts is queried before dns. This is how I am patching the problem for the moment!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 80 total points
ID: 11969849
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Accepted Solution

by:
tevens earned 100 total points
ID: 11990088
DNS doctoring (alias/dns) would work if the DNS response was forwarded through the firewall.  So using alias or the dns keyword on a static might not do the trick because it depends where the DNS server was/is.

To answer the main question; the pix will not forward traffic back out the same interface it heard it from.  This could open a hole in the firewall and thus compromise the security.  So the two answers that exist are to use DNS doctoring providing the DNS server responses go through the firewall or use two interfaces on the firewall.  Note that not even routers will NAT on the same interface.

--Tim
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11990318
Guys thank you very much.

As it turns out the host must have just forgotten to clear xlate or something. The dns translation now works. Dig's to remote DNS servers now correctly return the translated internal IP address. Everything is dandy =)

The two interfaces on the firewall trick sounds clever - will remember that.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11990643
ThanQ
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to Access NetScaler admin URL from external source 8 1,223
palo alto VM series in AWS 3 105
Network Activities  please help 16 78
Palo Alto Networks Global Protect 2 123
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question