[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

specify DNS server on PIX 506 for name resolution in access lists

Hi there
I have a PIX 506 that I'm configuring.
I need to access some remote hosts that have DNS name and whose addresses sometimes change or may change in the future.

Is there any way I can create an access-list like this where the name will be resolved dynamically?

access-list eggster line 71 permit tcp host host.eggster.com host eq http

I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX and was wondering if it was possible?

Thanks.
0
eggster34
Asked:
eggster34
  • 2
2 Solutions
 
rsivanandanCommented:
hmmm. I don't think you can do this. If you use 'host.eggster.com', it will only be replaced from 'name' statement

Cheers,
Rajesh
0
 
calvinetterCommented:
>I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX...
  Unfortunately this can't be done on a PIX, not dynamically via DNS resolution (definitely not in PIX 6.x, & doesn't appear to be on PIX 7.x).

  If your main goal would be to make it easier to manage ACLs with a hostname you could use the "name" command as rsivanandan mentioned, which would allow you to make a single IP change in the config which would essentially update every reference to the host in your ACLs.
  The "name" statements are like lines in a hosts file - the hostnames are simply text strings that the PIX associates with the IP address that you've configured.  The text strings have some limitations:
- Limited to 63 characters (PIX 6.3 or above; 16 characters in PIX 6.0)
- Names can't begin with a number
- Allowed characters are a-z, A-Z, 0-9, a dash, and an underscore [and a period '.' in PIX 6.3(5) at least]
- Only 1 name can be assigned to an IP
- Can't use a 'name' in place of a subnet mask value: eg, the following is NOT allowed: ip address inside 10.1.1.1 class_C_mask

  Example:
names    --> turns on use of 'name' statements (on by default)
name 91.2.2.2 www.eggster.com
name 77.1.1.2 corp_ftp
name 10.0.0.5 my-inside-server
  (now you can use ACL statements like the following):
access-list 101 permit tcp any host www.eggster.com eq 80
access-list inbound permit tcp any host corp_ftp eq 21

  If the IP for "www.eggster.com" changes, you simply need to change 1 line of your config:
name 212.9.9.9 www.eggster.com

cheers
0
 
eggster34Author Commented:
ok that's what I had feared and suspected.. many thanks to both of you. I'm splitting the points.
0
 
calvinetterCommented:
You're welcome!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now