> There are two ways to go about this. One is to configure an additional
DNS
> MX record with a low value, for your internal clients only. This MX
record
> would point to the actual address of the machine (10.x.x.3). Other
clients
> won't use that MX record, as the address is unreachable, and they will use
> the next higher preference record.
I'm currently using the hosts file on the web server to get around this
problem - not a great solution, but it works.
> The other way is to use the alias command on the PIX. I needed to read
the
> documentation several times before I understood how the command works, and
> the behavior has changed depending on the version you are using. So,
check
> your manual for the version you are using, for the alias command syntax
and
> usage.
Unfortunately this won't work if your DNS servers are in the dmz along with
the web server as the alias command only works with DNS packets retrieved
via the PIX. The PIX is not a router and so won't let packets that are being
sent to the external static mapped address of a dmz host back into the dmz,
I've spent weeks trying to find a good solution to this and it looks like I
have 2 choices - move my DNS servers to another interface of my PIX such as
inside (no way!), or use a second dmz (which means adding another card) to
host the DNS servers (so the alias command will work as expected). The hosts
file works but is a pain to maintain, although my mail IP addresses should
be pretty static so I shouldn't have to touch them much.
BTW: I'm running 4.4(1) at the moment.
Dan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
