?
Solved

Pix 501 - Allowing Routing of Public IP address

Posted on 2004-09-02
6
Medium Priority
?
267 Views
Last Modified: 2013-11-16
Kind of an odd question:

I am currently participating in a thread i started at the cisco website. This is:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd647db/0#selected_message

I will split the points between anyone who can add any useful, relevant information to help resovle the thread contained therein. You need not post back there if you are not registered - a reply here would do.

Many thank,
Daniel
0
Comment
Question by:danielwatts
6 Comments
 
LVL 58

Assisted Solution

by:Pete Long
Pete Long earned 80 total points
ID: 11968696
Hi Daniel

Im confused? do you have NO DNS on your LAN? if so why is s1 not querying your internal DNS its A record will return an internal address?


plus your comment

>>entered a line eg 64.1.2.34 s1.host.com

your host file is queried before the client tries to resolve DNS (after the internal cache has been searched)
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11968803
In response:

No all of our DNS is hosted by a 3rd party. No DNS is running locally (except maybe a forwarder that just caches responses). Having internal DNS was an option but requires administration of the DNS thereafter. If we could fix the problem globally at the firewall it would be better.

The query order is set in nsswitch.
Currently mine is:
hosts:      files nisplus nis dns
so you are correct. /etc/hosts is queried before dns. This is how I am patching the problem for the moment!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 320 total points
ID: 11969849
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 1

Accepted Solution

by:
tevens earned 400 total points
ID: 11990088
DNS doctoring (alias/dns) would work if the DNS response was forwarded through the firewall.  So using alias or the dns keyword on a static might not do the trick because it depends where the DNS server was/is.

To answer the main question; the pix will not forward traffic back out the same interface it heard it from.  This could open a hole in the firewall and thus compromise the security.  So the two answers that exist are to use DNS doctoring providing the DNS server responses go through the firewall or use two interfaces on the firewall.  Note that not even routers will NAT on the same interface.

--Tim
0
 
LVL 1

Author Comment

by:danielwatts
ID: 11990318
Guys thank you very much.

As it turns out the host must have just forgotten to clear xlate or something. The dns translation now works. Dig's to remote DNS servers now correctly return the translated internal IP address. Everything is dandy =)

The two interfaces on the firewall trick sounds clever - will remember that.
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 11990643
ThanQ
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month3 days, 10 hours left to enroll

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question