[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

specify DNS server on PIX 506 for name resolution in access lists

Hi there
I have a PIX 506 that I'm configuring.
I need to access some remote hosts that have DNS name and whose addresses sometimes change or may change in the future.

Is there any way I can create an access-list like this where the name will be resolved dynamically?

access-list eggster line 71 permit tcp host host.eggster.com host eq http

I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX and was wondering if it was possible?

Thanks.
0
eggster34
Asked:
eggster34
  • 2
2 Solutions
 
rsivanandanCommented:
hmmm. I don't think you can do this. If you use 'host.eggster.com', it will only be replaced from 'name' statement

Cheers,
Rajesh
0
 
calvinetterCommented:
>I can specify a DNS server to be used for name resolution in a Cisco router, but I cannot do it on a PIX...
  Unfortunately this can't be done on a PIX, not dynamically via DNS resolution (definitely not in PIX 6.x, & doesn't appear to be on PIX 7.x).

  If your main goal would be to make it easier to manage ACLs with a hostname you could use the "name" command as rsivanandan mentioned, which would allow you to make a single IP change in the config which would essentially update every reference to the host in your ACLs.
  The "name" statements are like lines in a hosts file - the hostnames are simply text strings that the PIX associates with the IP address that you've configured.  The text strings have some limitations:
- Limited to 63 characters (PIX 6.3 or above; 16 characters in PIX 6.0)
- Names can't begin with a number
- Allowed characters are a-z, A-Z, 0-9, a dash, and an underscore [and a period '.' in PIX 6.3(5) at least]
- Only 1 name can be assigned to an IP
- Can't use a 'name' in place of a subnet mask value: eg, the following is NOT allowed: ip address inside 10.1.1.1 class_C_mask

  Example:
names    --> turns on use of 'name' statements (on by default)
name 91.2.2.2 www.eggster.com
name 77.1.1.2 corp_ftp
name 10.0.0.5 my-inside-server
  (now you can use ACL statements like the following):
access-list 101 permit tcp any host www.eggster.com eq 80
access-list inbound permit tcp any host corp_ftp eq 21

  If the IP for "www.eggster.com" changes, you simply need to change 1 line of your config:
name 212.9.9.9 www.eggster.com

cheers
0
 
eggster34Author Commented:
ok that's what I had feared and suspected.. many thanks to both of you. I'm splitting the points.
0
 
calvinetterCommented:
You're welcome!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now