On Sat, 18 Mar 2000, you wrote:
> > There are two ways to go about this. One is to configure an additional
> DNS
> > MX record with a low value, for your internal clients only. This MX
> record
> > would point to the actual address of the machine (10.x.x.3). Other
> clients
> > won't use that MX record, as the address is unreachable, and they will use
> > the next higher preference record.
>
> I'm currently using the hosts file on the web server to get around this
> problem - not a great solution, but it works.
I tried this a few moments ago and it works. I agree with you that this isn't
a great solution either, but it's cleaner than adding a MX record.
>
> > The other way is to use the alias command on the PIX. I needed to read
> the
> > documentation several times before I understood how the command works, and
> > the behavior has changed depending on the version you are using. So,
> check
> > your manual for the version you are using, for the alias command syntax
> and
> > usage.
>
> Unfortunately this won't work if your DNS servers are in the dmz along with
> the web server as the alias command only works with DNS packets retrieved
> via the PIX. The PIX is not a router and so won't let packets that are being
> sent to the external static mapped address of a dmz host back into the dmz,
Yes, this is the problem. It would be nice as Cisco added this as feature I
think.
> I've spent weeks trying to find a good solution to this and it looks like I
> have 2 choices - move my DNS servers to another interface of my PIX such as
> inside (no way!), or use a second dmz (which means adding another card) to
> host the DNS servers (so the alias command will work as expected). The hosts
> file works but is a pain to maintain, although my mail IP addresses should
> be pretty static so I shouldn't have to touch them much.
>
Thanks Dan for your solution. I agree with you that's a pain to maintain.
------------------------------------------------------------------------------
Diederick van Dijk
Homepage: http://www.van-dijk.net
Linux Documentation: http://cpqlin.van-dijk.net
- Manager of Compaq And Linux Mailing List (see my homepage)
(subscribe at [EMAIL PROTECTED])
- Paper about installing Red Hat on a Compaq with a Smart Array Controller
- Mini-Howto Linux PPP to NT with MS Chap and callback
------------------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
