Solved

specify DNS server on PIX 506 for name resolution in access lists

Posted on 2006-07-19
4
385 Views
Last Modified: 2013-11-16
Hi there
I have a PIX 506 that I'm configuring.
I need to access some remote hosts that have DNS name and whose addresses sometimes change or may change in the future.

Is there any way I can create an access-list like this where the name will be resolved dynamically?

access-list eggster line 71 permit tcp host host.eggster.com host eq http

I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX and was wondering if it was possible?

Thanks.
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17143668
hmmm. I don't think you can do this. If you use 'host.eggster.com', it will only be replaced from 'name' statement

Cheers,
Rajesh
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
ID: 17143950
>I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX...
  Unfortunately this can't be done on a PIX, not dynamically via DNS resolution (definitely not in PIX 6.x, & doesn't appear to be on PIX 7.x).

  If your main goal would be to make it easier to manage ACLs with a hostname you could use the "name" command as rsivanandan mentioned, which would allow you to make a single IP change in the config which would essentially update every reference to the host in your ACLs.
  The "name" statements are like lines in a hosts file - the hostnames are simply text strings that the PIX associates with the IP address that you've configured.  The text strings have some limitations:
- Limited to 63 characters (PIX 6.3 or above; 16 characters in PIX 6.0)
- Names can't begin with a number
- Allowed characters are a-z, A-Z, 0-9, a dash, and an underscore [and a period '.' in PIX 6.3(5) at least]
- Only 1 name can be assigned to an IP
- Can't use a 'name' in place of a subnet mask value: eg, the following is NOT allowed: ip address inside 10.1.1.1 class_C_mask

  Example:
names    --> turns on use of 'name' statements (on by default)
name 91.2.2.2 www.eggster.com
name 77.1.1.2 corp_ftp
name 10.0.0.5 my-inside-server
  (now you can use ACL statements like the following):
access-list 101 permit tcp any host www.eggster.com eq 80
access-list inbound permit tcp any host corp_ftp eq 21

  If the IP for "www.eggster.com" changes, you simply need to change 1 line of your config:
name 212.9.9.9 www.eggster.com

cheers
0
 

Author Comment

by:eggster34
ID: 17146238
ok that's what I had feared and suspected.. many thanks to both of you. I'm splitting the points.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17151080
You're welcome!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
adjusting startup config 6 73
Cisco SSLVPN webpage is not loading 3 45
ASA 5505 packet drops 14 70
connect to cisco 2690 series 6 63
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question