On Mon, 27 Mar 2000, Daniel Crichton wrote:
> Just to clear things up, I have a PIX with 4 interfaces. My DNS servers are on
> the same interface ("dmz") as my web and mail servers, not on the outside.
> The alias command not only changes packets from these DNS servers back
> to the inside but also allows me to use the global outside static mapped
> addresses for the hosts in my "dmz" segment and automatically reroutes the
> packets to the correct hosts, whether using DNS, http, ping, whatever. So in
> this case the alias command is doing more than it first appears, and I can
> verify it by removing it - my inside users then can't use my outside
> addresses to get at my "dmz" servers.
Well, I guess the problem is is that this solution requires that you have
three interfaces on the PIX at a minimum. We've only got two here, and it
seems that the real solution is to add an interface, and move the DNS
servers onto the DMZ.
Do you know if aliasing works for nameservers that aren't part of the DMZ;
for example, a nameserver way out on the internet that's returning answers
for your local network (i.e. you've got your primary nameserver at a
hosting facility, but certain hosts that inside your network, and your
hosts inside reference that host name?)
> How would tell your hosts to ricochet requests off the PIX? They only pass
I guess I'd do that by using the PIX as a virtual nameserver, but now that
I look at this problem again it seems like a terrible idea.
> option. What you could do is move your DNS servers to another interface of
> the PIX (not outside) and then the PIX can modify the packets when
> requested. I don't think you can set up statics to the inside so that you use
> the outside (or 3rd interface) addresses for your DNS setup to make the
> requests which would then pass into the PIX, and have it redirect the packets
> back to the inside DNS server, as the PIX doesn't appear to allow packets to
> have a source and destination on the same interface. But I haven't tried this,
> so I don't know for sure. I agree that the alias command needs more
> capabilities as it could be really powerful except that it's restricted to use
> only for requests from a high security level to a lower level.
I had a TON of problems getting a DMZ configured on our other PIX,
everything from not getting packets through to no DNS resolution.
I'll probably try the alias solution again when work hell subsides,
and I go in to reconfigure our production network (yay, we got backup
PIXes finally!)
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
