CCIE Written: DNS and NAT [7:29461]

2001-12-18 Thread John Tafasi 

Does any body have good resource that explains how NAT on the firewall works
with DNS?


Thanks

John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29461&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Written: DNS and NAT [7:29461]

2001-12-18 Thread Phil 

John- specifically what is your question ???  I've had to do a lot of
DNS related research these past few months (using Meta, Garner, White
Papers, Berkley, Microsoft, etc.), but I don't believe I have seen
specific issues with NAT and DNS.  The Firewalls must be configured to
pass UDP port 53 and can enforce an access-list only to allow certain
servers (say the ISPs primary and yours), TSIG (BIND), or to proxy.
With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT
portion plays no roll.  As the query moves, @ no time should the DNS
server being polled need to cache the resolver's information (does this
makes sense ???).  I guess, what I am trying to say is that it does not
matter is I am requesting from a global IP address or a private 10.0.0.0
address.  If your lookup is recursive or iterative, the firewall has a
state table, NAT statistics, or a PAT lookup (UNIX programs refer to it
as IP Masquerading), mapping it back to the resolver (be it PC or file
server) that initiated the lookup.

I believe I may not have answered your question

Let me know- I never was asked to deliver my DNS presentation and Im
still miffed Ive been studying such a boring subject as of late :-)
Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Tafasi
Sent: Tuesday, December 18, 2001 3:37 AM
To: [EMAIL PROTECTED]
Subject: CCIE Written: DNS and NAT [7:29461]

Does any body have good resource that explains how NAT on the firewall
works
with DNS?


Thanks

John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29478&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Written: DNS and NAT [7:29461]

2001-12-18 Thread Patrick Ramsey 

you said all that needed to be said... basically, udp port 53 needs to be
allowed through (tcp for zone xfers)  so if you have a static translation to
a dns server in a dmz from the outside you acl would look similar to this.
(pix)

access-list outside permit udp any host 63.203.193.205 eq 53

with a static statement of

static (inside,outside) 63.203.193.205 10.70.48.50 netmask 255.255.255.255 0
0

for hosts on the inside interface (or a higher security interface) that need
to access dns on the internet, a nat and global statement are needed
(perhaps with an overload switch) in which case the state of the connection
woud be kept up within the firewall and will look similar to this.

PAT Global 63.203.193.205(59378) Local 10.11.51.90(1058) 

-Patrick

>>> "Phil"  12/18/01 11:12AM >>>
John- specifically what is your question ???  I've had to do a lot of
DNS related research these past few months (using Meta, Garner, White
Papers, Berkley, Microsoft, etc.), but I don't believe I have seen
specific issues with NAT and DNS.  The Firewalls must be configured to
pass UDP port 53 and can enforce an access-list only to allow certain
servers (say the ISPs primary and yours), TSIG (BIND), or to proxy.
With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT
portion plays no roll.  As the query moves, @ no time should the DNS
server being polled need to cache the resolver's information (does this
makes sense ???).  I guess, what I am trying to say is that it does not
matter is I am requesting from a global IP address or a private 10.0.0.0
address.  If your lookup is recursive or iterative, the firewall has a
state table, NAT statistics, or a PAT lookup (UNIX programs refer to it
as IP Masquerading), mapping it back to the resolver (be it PC or file
server) that initiated the lookup.

I believe I may not have answered your question

Let me know- I never was asked to deliver my DNS presentation and Im
still miffed Ive been studying such a boring subject as of late :-)
Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Tafasi
Sent: Tuesday, December 18, 2001 3:37 AM
To: [EMAIL PROTECTED] 
Subject: CCIE Written: DNS and NAT [7:29461]

Does any body have good resource that explains how NAT on the firewall
works
with DNS?


Thanks

John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29484&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Written: DNS and NAT [7:29461]

2001-12-18 Thread Kent Hundley 

John

Here's a link to a doc that talks about how NAT translates DNS replies:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Tafasi
Sent: Tuesday, December 18, 2001 3:37 AM
To: [EMAIL PROTECTED]
Subject: CCIE Written: DNS and NAT [7:29461]


Does any body have good resource that explains how NAT on the firewall works
with DNS?


Thanks

John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29486&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written: DNS and NAT [7:29461]

2001-12-18 Thread K. Muhammad 

Why.. It is not on the test..
""John Tafasi""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Does any body have good resource that explains how NAT on the firewall
works
> with DNS?
>
>
> Thanks
>
> John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29610&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written: DNS and NAT [7:29461]

2001-12-19 Thread John Tafasi 

Thanks Phil and every body for your efforts to answer my questions. To be
more specific, I have included the scenario that caused me to start this
thread. Visit the link below and view the graphic and the solution to the
scenario.



Click here and wait until the word document loads

I will post more DNS-NAT scenarios later for discussions. So please stay
tune.

Thanks

John Tafasi




""Phil""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> John- specifically what is your question ???  I've had to do a lot of
> DNS related research these past few months (using Meta, Garner, White
> Papers, Berkley, Microsoft, etc.), but I don't believe I have seen
> specific issues with NAT and DNS.  The Firewalls must be configured to
> pass UDP port 53 and can enforce an access-list only to allow certain
> servers (say the ISPs primary and yours), TSIG (BIND), or to proxy.
> With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT
> portion plays no roll.  As the query moves, @ no time should the DNS
> server being polled need to cache the resolver's information (does this
> makes sense ???).  I guess, what I am trying to say is that it does not
> matter is I am requesting from a global IP address or a private 10.0.0.0
> address.  If your lookup is recursive or iterative, the firewall has a
> state table, NAT statistics, or a PAT lookup (UNIX programs refer to it
> as IP Masquerading), mapping it back to the resolver (be it PC or file
> server) that initiated the lookup.
>
> I believe I may not have answered your question
>
> Let me know- I never was asked to deliver my DNS presentation and Im
> still miffed Ive been studying such a boring subject as of late :-)
> Phil
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> John Tafasi
> Sent: Tuesday, December 18, 2001 3:37 AM
> To: [EMAIL PROTECTED]
> Subject: CCIE Written: DNS and NAT [7:29461]
>
> Does any body have good resource that explains how NAT on the firewall
> works
> with DNS?
>
>
> Thanks
>
> John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29631&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written: DNS and NAT [7:29461]

2001-12-19 Thread John Tafasi 

Thanks Phil and every body for your efforts to answer my questions. To be
more specific, I have included the scenario that caused me to start this
thread. Visit the link below and view the graphic and the solution to the
scenario. (watch the wrap around the link)


http://us.f1.yahoofs.com/users/2362c12b/bc/Questions/NAT-DNS1.doc?bcGtOc8AMR
WqvCn2

I will post more DNS-NAT scenarios later for discussions. So please stay
tune.

Thanks

John Tafasi


""Phil""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> John- specifically what is your question ???  I've had to do a lot of
> DNS related research these past few months (using Meta, Garner, White
> Papers, Berkley, Microsoft, etc.), but I don't believe I have seen
> specific issues with NAT and DNS.  The Firewalls must be configured to
> pass UDP port 53 and can enforce an access-list only to allow certain
> servers (say the ISPs primary and yours), TSIG (BIND), or to proxy.
> With proxy (say Gauntlet or Symantec's Raptor line-up) the NAT or PAT
> portion plays no roll.  As the query moves, @ no time should the DNS
> server being polled need to cache the resolver's information (does this
> makes sense ???).  I guess, what I am trying to say is that it does not
> matter is I am requesting from a global IP address or a private 10.0.0.0
> address.  If your lookup is recursive or iterative, the firewall has a
> state table, NAT statistics, or a PAT lookup (UNIX programs refer to it
> as IP Masquerading), mapping it back to the resolver (be it PC or file
> server) that initiated the lookup.
>
> I believe I may not have answered your question
>
> Let me know- I never was asked to deliver my DNS presentation and Im
> still miffed Ive been studying such a boring subject as of late :-)
> Phil
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> John Tafasi
> Sent: Tuesday, December 18, 2001 3:37 AM
> To: [EMAIL PROTECTED]
> Subject: CCIE Written: DNS and NAT [7:29461]
>
> Does any body have good resource that explains how NAT on the firewall
> works
> with DNS?
>
>
> Thanks
>
> John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29632&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written: DNS and NAT [7:29461]

2001-12-19 Thread Howard C. Berkowitz 

>Why.. It is not on the test..

The test is not the world, the Day After.

Wasn't that a James Bond movie?

>""John Tafasi""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>  Does any body have good resource that explains how NAT on the firewall
>works
>>  with DNS?
>>
>>
>>  Thanks
>>
>  > John Tafasi




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29634&t=29461
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]