Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

specify DNS server on PIX 506 for name resolution in access lists

Posted on 2006-07-19
4
381 Views
Last Modified: 2013-11-16
Hi there
I have a PIX 506 that I'm configuring.
I need to access some remote hosts that have DNS name and whose addresses sometimes change or may change in the future.

Is there any way I can create an access-list like this where the name will be resolved dynamically?

access-list eggster line 71 permit tcp host host.eggster.com host eq http

I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX and was wondering if it was possible?

Thanks.
0
Comment
Question by:eggster34
  • 2
4 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17143668
hmmm. I don't think you can do this. If you use 'host.eggster.com', it will only be replaced from 'name' statement

Cheers,
Rajesh
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
ID: 17143950
>I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX...
  Unfortunately this can't be done on a PIX, not dynamically via DNS resolution (definitely not in PIX 6.x, & doesn't appear to be on PIX 7.x).

  If your main goal would be to make it easier to manage ACLs with a hostname you could use the "name" command as rsivanandan mentioned, which would allow you to make a single IP change in the config which would essentially update every reference to the host in your ACLs.
  The "name" statements are like lines in a hosts file - the hostnames are simply text strings that the PIX associates with the IP address that you've configured.  The text strings have some limitations:
- Limited to 63 characters (PIX 6.3 or above; 16 characters in PIX 6.0)
- Names can't begin with a number
- Allowed characters are a-z, A-Z, 0-9, a dash, and an underscore [and a period '.' in PIX 6.3(5) at least]
- Only 1 name can be assigned to an IP
- Can't use a 'name' in place of a subnet mask value: eg, the following is NOT allowed: ip address inside 10.1.1.1 class_C_mask

  Example:
names    --> turns on use of 'name' statements (on by default)
name 91.2.2.2 www.eggster.com
name 77.1.1.2 corp_ftp
name 10.0.0.5 my-inside-server
  (now you can use ACL statements like the following):
access-list 101 permit tcp any host www.eggster.com eq 80
access-list inbound permit tcp any host corp_ftp eq 21

  If the IP for "www.eggster.com" changes, you simply need to change 1 line of your config:
name 212.9.9.9 www.eggster.com

cheers
0
 

Author Comment

by:eggster34
ID: 17146238
ok that's what I had feared and suspected.. many thanks to both of you. I'm splitting the points.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17151080
You're welcome!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question