On Sat, 18 Mar 2000, Diederick van Dijk wrote:
> >
> > Unfortunately this won't work if your DNS servers are in the dmz along with
> > the web server as the alias command only works with DNS packets retrieved
> > via the PIX. The PIX is not a router and so won't let packets that are being
> > sent to the external static mapped address of a dmz host back into the dmz,
>
> Yes, this is the problem. It would be nice as Cisco added this as feature I
> think.
This is a problem that alot of people face. Wouldn't it make far more
sense if the PIX masqueraded as a DNS server (some feature that could be
turned on) and if it recieves a udp/tcp connection on port 53, it looks at
the packet and proxies it and the response to the appropriate inside
server?
Then, when the response comes back, it rewrites any IP addresses that
have existing conduits back to the inside address.
It makes sense, and wouldn't be too hard to implement. As long as it was
only supported for the inside interface, you'd be set.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
