Solved

specify DNS server on PIX 506 for name resolution in access lists

Posted on 2006-07-19
4
373 Views
Last Modified: 2013-11-16
Hi there
I have a PIX 506 that I'm configuring.
I need to access some remote hosts that have DNS name and whose addresses sometimes change or may change in the future.

Is there any way I can create an access-list like this where the name will be resolved dynamically?

access-list eggster line 71 permit tcp host host.eggster.com host eq http

I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX and was wondering if it was possible?

Thanks.
0
Comment
Question by:eggster34
  • 2
4 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17143668
hmmm. I don't think you can do this. If you use 'host.eggster.com', it will only be replaced from 'name' statement

Cheers,
Rajesh
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
ID: 17143950
>I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX...
  Unfortunately this can't be done on a PIX, not dynamically via DNS resolution (definitely not in PIX 6.x, & doesn't appear to be on PIX 7.x).

  If your main goal would be to make it easier to manage ACLs with a hostname you could use the "name" command as rsivanandan mentioned, which would allow you to make a single IP change in the config which would essentially update every reference to the host in your ACLs.
  The "name" statements are like lines in a hosts file - the hostnames are simply text strings that the PIX associates with the IP address that you've configured.  The text strings have some limitations:
- Limited to 63 characters (PIX 6.3 or above; 16 characters in PIX 6.0)
- Names can't begin with a number
- Allowed characters are a-z, A-Z, 0-9, a dash, and an underscore [and a period '.' in PIX 6.3(5) at least]
- Only 1 name can be assigned to an IP
- Can't use a 'name' in place of a subnet mask value: eg, the following is NOT allowed: ip address inside 10.1.1.1 class_C_mask

  Example:
names    --> turns on use of 'name' statements (on by default)
name 91.2.2.2 www.eggster.com
name 77.1.1.2 corp_ftp
name 10.0.0.5 my-inside-server
  (now you can use ACL statements like the following):
access-list 101 permit tcp any host www.eggster.com eq 80
access-list inbound permit tcp any host corp_ftp eq 21

  If the IP for "www.eggster.com" changes, you simply need to change 1 line of your config:
name 212.9.9.9 www.eggster.com

cheers
0
 

Author Comment

by:eggster34
ID: 17146238
ok that's what I had feared and suspected.. many thanks to both of you. I'm splitting the points.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17151080
You're welcome!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now