subject:"PIX % DNS Doctoring \[7\:33331\]"

Re: PIX % DNS Doctoring [7:33331]

2002-01-30 Thread Godswill HO


Hi,

Check your dns doctoring alias command:
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255

The order above is wrong. I assume the assigned address to the dns server is
10.128.128.30 and 200.219.100.30 is only a globally translated address. The
correct order should have been:

alis (inside) 10.128.128.30 200.219.100.30 255.255.255.255
This command will try to initiate the dns dosctoring from the inside client
and replace all dns response having 200.219.100.30 with 10.128.128.30 and
not the other way round as you initially had configured it.

Contact me again where necessary.

Regards.
Oletu

- Original Message -
From: Dante Martins 
To: 
Sent: Tuesday, January 29, 2002 5:18 AM
Subject: RE: PIX % DNS Doctoring [7:1]


> I have a dns on inside using static (200.219.100.30 10.128.128.30) . The
> dns database is resolving names to valid IP's. The problem is the
> worktations from inside can't access these servers using the valid
> IP's.I found some docs on Cisco site about DNS Doctoring (
> http://www.cisco.com/warp/public/110/alias.html )but in the cisco
> exemple the DNS is on outside. I need that dns send some zone forward to
> other dns that is inside the VPN so...if I move that dns(200.219.100.30)
> to outside interface he will not have access to the network
> 10.250.0.0(VPN). I had the same problem in other situation but I was
> using Checkpoint Firewall_1 and it works.
>
> There is some way to do it work ( using DNS on iside with static ) or I
> need to move to outside??
>
>
>
> CONF MAIN PIX
>
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ1 security10
> nameif ethernet3 intf3 security15
> nameif ethernet4 intf4 security20
> nameif ethernet5 intf5 security25
> enable password *** encrypted
> passwd ** encrypted
>
> hostname MAIN
>
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
>
> names
> access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
> 255.255.255.0
> access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
> 255.255.240.0
> access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
> 255.255.255.0
> access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
> 255.255.255.0
>
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> interface ethernet3 auto
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
>
> mtu outside 1500
> mtu inside 1500
> mtu DMZ1 1500
> mtu intf3 1500
> mtu intf4 1500
> mtu intf5 1500
>
> ip address outside 200.219.100.2 255.255.255.0
> ip address inside 10.128.159.253 255.255.224.0
> ip address DMZ1 10.255.255.254 255.255.224.0
> ip address intf3 10.250.11.254 255.255.255.0
> ip address intf4 127.0.0.1 255.255.255.255
> ip address intf5 127.0.0.1 255.255.255.255
>
> ip audit info action alarm
> ip audit attack action alarm
>
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address DMZ1 0.0.0.0
> failover ip address intf3 0.0.0.0
> failover ip address intf4 0.0.0.0
> failover ip address intf5 0.0.0.0
>
> pdm history enable
> arp timeout 14400
>
> global (outside) 1 200.219.100.100-200.219.100.199
> global (outside) 1 200.219.100.200
> global (DMZ1) 1 10.255.224.10-10.255.224.70
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
>
> alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
> alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
> alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
> alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255
>
>
> static (inside,outside) 200.219.100.26 10.128.128.26 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.30 10.128.128.30 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.31 10.128.128.32 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.54 10.128.128.54 netmask
> 255.255.255.255 0 0
>
>
> conduit permit icmp any any
>
> conduit permit tcp host 200.219.100.30 eq www any
> conduit permit tcp host 200.219.100.30 eq domain any
> conduit permit udp host 200.219.100.30 eq domain any
>
> conduit permit tcp host 2

RE: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Dante Martins

> Regards.
> Oletu
>
> - Original Message -
> From: Dante Martins
> To:
> Sent: Saturday, January 26, 2002 4:58 PM
> Subject: PIX % DNS Doctoring [7:1]
>
>
> > Somebody knows how to do DNS doctoring on PIX
> > I have the DNS on DMZ with static and the clients workstations are
on
> > inside interface.
> > Dante
> >
> >
> >

> > This email has been scanned for all viruses by the MessageLabs
service.
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

This email has been scanned for all viruses by the MessageLabs service.


This email has been scanned for all viruses by the MessageLabs service.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33581&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Dante Martins

2 match address 102
crypto map cmap 2 set peer 200.200.111.2
crypto map cmap 2 set transform-set strong

crypto map cmap 3 ipsec-isakmp
crypto map cmap 3 match address 103
crypto map cmap 3 set peer 200.200.222.2
crypto map cmap 3 set transform-set strong

crypto map cmap 4 ipsec-isakmp
crypto map cmap 4 match address 104
crypto map cmap 4 set peer 200.202.202.2
crypto map cmap 4 set transform-set strong

crypto map cmap 5 ipsec-isakmp
crypto map cmap 5 match address 105
crypto map cmap 5 set peer 205.205.205.2
crypto map cmap 5 set transform-set strong

crypto map cmap interface outside

isakmp enable outside
isakmp key  address 200.200.100.2 netmask 255.255.255.255
isakmp key  address 200.219.100.4 netmask 255.255.255.255
isakmp key  address 200.200.111.2 netmask 255.255.255.255
isakmp key  address 200.200.222.2 netmask 255.255.255.255
isakmp key  address 200.202.202.2 netmask 255.255.255.255
isakmp key  address 205.205.205.2 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600

telnet 10.128.128.0 255.255.224.0 inside
telnet 10.128.128.0 255.255.224.0 DMZ1
telnet timeout 5

ssh timeout 5







CONF of office1 PIX:


PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ** encrypted
passwd *** encrypted

hostname office1

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0
255.255.255.0
access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0
255.255.224.0
pager lines 24

logging on
interface ethernet0 auto
interface ethernet1 auto

mtu outside 1500
mtu inside 1500

ip address outside 200.200.100.2 255.255.255.240
ip address inside 172.16.3.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 200.200.100.3-200.200.100.10
global (outside) 1 200.200.100.11

nat (inside) 1 172.16.0.0 255.255.0.0 0 0

static (inside,outside) 200.200.100.12 172.16.3.25 netmask
255.255.255.255 0 0

conduit permit gre any any
conduit permit icmp any any

conduit permit udp host 211.211.211.251 eq domain any
conduit permit tcp host 211.211.211.251 eq domain any
conduit permit tcp host 211.211.211.251 eq smtp any
conduit permit udp host 211.211.211.251 eq 25 any

conduit permit tcp host 200.200.100.12 eq domain any
conduit permit udp host 200.200.100.12 eq domain any
conduit permit tcp host 200.200.100.12 eq smtp any

conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

route outside 0.0.0.0 0.0.0.0 200.200.100.1 1
route inside 172.16.15.0 255.255.255.0 172.16.3.254 1
route inside 172.17.0.0 255.255.0.0 172.16.3.254 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host outside 200.219.100.26
snmp-server location "Office1"
snmp-server contact support@office1
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 10 ipsec-isakmp
crypto map cmap 10 match address 101
crypto map cmap 10 set peer 200.200.111.2

crypto map cmap 10 set transform-set strong
crypto map cmap 20 ipsec-isakmp
crypto map cmap 20 match address 102
crypto map cmap 20 set peer 200.219.100.2

crypto map cmap interface outside

isakmp enable outside
isakmp key  address 200.200.111.2 netmask 255.255.255.255
isakmp key  address 200.219.100.2 netmask 255.255.255.255
isakmp key  address 200.200.100.2 netmask 255.255.255.255

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600

telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

-Original Message-
From: Godswill HO [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 26, 2002 7:43 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX % DNS Doctoring [7:1]


Hi,

It really depends on what you want to do or implement for the DNS. The
DNS
guard on PIX is enabled by default and it cannot be disabled not
configured.
It help to prevent against DoS attacks by tearing down the UDP conduit
on
the PIX firewall as soon as the DNS response is received not waiting
until
thee the default UDO timer has expire which is 2 minutes( almost an
eternity
in the computer world).

Th

Re: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Dante Martins

e you can alter the default DNS timeout which is 5 seconds by
> using:
>
> #IP inspect dns-timeout
>
> It simplyly specifies the length of time a DNS name lookup session will
> still be managed after no activity.
>
> In case you need further help, feel free to ask specific questions.
>
> Regards.
> Oletu
>
> - Original Message -
> From: Dante Martins
> To:
> Sent: Saturday, January 26, 2002 4:58 PM
> Subject: PIX % DNS Doctoring [7:1]
>
>
> > Somebody knows how to do DNS doctoring on PIX
> > I have the DNS on DMZ with static and the clients workstations are on
> > inside interface.
> > Dante
> >
> >
> > 
> > This email has been scanned for all viruses by the MessageLabs service.
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33387&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Keyur Shah


Dante,

Try this document,
http://www.cisco.com/warp/public/110/alias.html

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.794.3556 
"Now offering CCIE Security Lab Workbook and remote bootcamp,
http://www.hellocomputers.com/hellosuccess.html";

-Original Message-
From: Dante Martins [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 26, 2002 4:58 PM
To: [EMAIL PROTECTED]
Subject: PIX % DNS Doctoring [7:1]


Somebody knows how to do DNS doctoring on PIX 
I have the DNS on DMZ with static and the clients workstations are on inside
interface. 
Dante



This email has been scanned for all viruses by the MessageLabs service.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33389&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Dante Martins


I have a dns on inside using static (200.219.100.30 10.128.128.30) . The
dns database is resolving names to valid IP's. The problem is the
worktations from inside can't access these servers using the valid
IP's.I found some docs on Cisco site about DNS Doctoring (
http://www.cisco.com/warp/public/110/alias.html )but in the cisco
exemple the DNS is on outside. I need that dns send some zone forward to
other dns that is inside the VPN so...if I move that dns(200.219.100.30)
to outside interface he will not have access to the network
10.250.0.0(VPN). I had the same problem in other situation but I was
using Checkpoint Firewall_1 and it works.  

There is some way to do it work ( using DNS on iside with static ) or I
need to move to outside??



CONF MAIN PIX

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted

hostname MAIN

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0

pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown

mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm
ip audit attack action alarm

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0

pdm history enable
arp timeout 14400

global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255


static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0


conduit permit icmp any any

conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any

conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any

conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any


route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat


crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong

crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 1

RE: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread Dante Martins

2 match address 102
crypto map cmap 2 set peer 200.200.111.2
crypto map cmap 2 set transform-set strong

crypto map cmap 3 ipsec-isakmp
crypto map cmap 3 match address 103
crypto map cmap 3 set peer 200.200.222.2
crypto map cmap 3 set transform-set strong

crypto map cmap 4 ipsec-isakmp
crypto map cmap 4 match address 104
crypto map cmap 4 set peer 200.202.202.2
crypto map cmap 4 set transform-set strong

crypto map cmap 5 ipsec-isakmp
crypto map cmap 5 match address 105
crypto map cmap 5 set peer 205.205.205.2
crypto map cmap 5 set transform-set strong

crypto map cmap interface outside

isakmp enable outside
isakmp key  address 200.200.100.2 netmask 255.255.255.255
isakmp key  address 200.219.100.4 netmask 255.255.255.255
isakmp key  address 200.200.111.2 netmask 255.255.255.255
isakmp key  address 200.200.222.2 netmask 255.255.255.255
isakmp key  address 200.202.202.2 netmask 255.255.255.255
isakmp key  address 205.205.205.2 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600

telnet 10.128.128.0 255.255.224.0 inside
telnet 10.128.128.0 255.255.224.0 DMZ1
telnet timeout 5

ssh timeout 5







CONF of office1 PIX:


PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ** encrypted
passwd *** encrypted

hostname office1

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.3.0
255.255.255.0
access-list 102 permit ip 172.16.0.0 255.255.0.0 10.128.128.0
255.255.224.0
pager lines 24

logging on
interface ethernet0 auto
interface ethernet1 auto

mtu outside 1500
mtu inside 1500

ip address outside 200.200.100.2 255.255.255.240
ip address inside 172.16.3.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 200.200.100.3-200.200.100.10
global (outside) 1 200.200.100.11

nat (inside) 1 172.16.0.0 255.255.0.0 0 0

static (inside,outside) 200.200.100.12 172.16.3.25 netmask
255.255.255.255 0 0

conduit permit gre any any
conduit permit icmp any any

conduit permit udp host 211.211.211.251 eq domain any
conduit permit tcp host 211.211.211.251 eq domain any
conduit permit tcp host 211.211.211.251 eq smtp any
conduit permit udp host 211.211.211.251 eq 25 any

conduit permit tcp host 200.200.100.12 eq domain any
conduit permit udp host 200.200.100.12 eq domain any
conduit permit tcp host 200.200.100.12 eq smtp any

conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

route outside 0.0.0.0 0.0.0.0 200.200.100.1 1
route inside 172.16.15.0 255.255.255.0 172.16.3.254 1
route inside 172.17.0.0 255.255.0.0 172.16.3.254 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host outside 200.219.100.26
snmp-server location "Office1"
snmp-server contact support@office1
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 10 ipsec-isakmp
crypto map cmap 10 match address 101
crypto map cmap 10 set peer 200.200.111.2

crypto map cmap 10 set transform-set strong
crypto map cmap 20 ipsec-isakmp
crypto map cmap 20 match address 102
crypto map cmap 20 set peer 200.219.100.2

crypto map cmap interface outside

isakmp enable outside
isakmp key  address 200.200.111.2 netmask 255.255.255.255
isakmp key  address 200.219.100.2 netmask 255.255.255.255
isakmp key  address 200.200.100.2 netmask 255.255.255.255

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600

telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80




-Original Message-
From: Godswill HO [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 26, 2002 10:45 PM
To: Dante Martins; [EMAIL PROTECTED]
Subject: Re: PIX % DNS Doctoring [7:1]


Hi,

It really depends on what you want to do or implement for the DNS. The
DNS
guard on PIX is enabled by default and it cannot be disabled not
configured.
It help to prevent against DoS attacks by tearing down the UDP conduit
on
the PIX firewall as soon as the DNS response is received not waiting
until
thee the default UDO timer has expire which is 2 minutes( almost an
eternity
in the co

Re: PIX % DNS Doctoring [7:33331]

2002-01-29 Thread John Kaberna


Godswill I believe he is asking about the alias command since that is
specifically used for DNS doctoring.  But, if his clients are on the same
network as the DNS server it won't work.  But, as you said, I'm not quite
sure what he is asking.

http://www.cisco.com/warp/public/110/alias.html

You are also sort of incorrect if you are saying that you can't adjust the
DNS timers. You can't adjust the specific DNS timers themselves, but you can
adjust the UDP timer.  I'm not sure if that's what you meant.  You are very
correct that 2 minutes is an eternity and I think that is way too long to
have a UDP connection open.  Just change the UDP timeout conn as shown
below.  The example is changed to one minute.

timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00

John Kaberna
CCIE #7146
www.netcginc.com
(415) 750-3800

Instructor for 5-day CCIE class for ccbootcamp.com
__
CCIE Security Training
www.netcginc.com/training.htm

""Godswill HO""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
>
> It really depends on what you want to do or implement for the DNS. The DNS
> guard on PIX is enabled by default and it cannot be disabled not
configured.
> It help to prevent against DoS attacks by tearing down the UDP conduit on
> the PIX firewall as soon as the DNS response is received not waiting until
> thee the default UDO timer has expire which is 2 minutes( almost an
eternity
> in the computer world).
>
> The other doctoring you can do on DNS is on CBAC (Context Based Access
> Control). Here you can alter the default DNS timeout which is 5 seconds by
> using:
>
> #IP inspect dns-timeout
>
> It simplyly specifies the length of time a DNS name lookup session will
> still be managed after no activity.
>
> In case you need further help, feel free to ask specific questions.
>
> Regards.
> Oletu
>
> ----- Original Message -
> From: Dante Martins
> To:
> Sent: Saturday, January 26, 2002 4:58 PM
> Subject: PIX % DNS Doctoring [7:1]
>
>
> > Somebody knows how to do DNS doctoring on PIX
> > I have the DNS on DMZ with static and the clients workstations are on
> > inside interface.
> > Dante
> >
> >
> > 
> > This email has been scanned for all viruses by the MessageLabs service.
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33346&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

2002-01-26 Thread Allen May


Workstations should be in the highest security NIC & therefore should be
able to connect to the DNS servers on a DMZ with no doctoring.  In some
cases people use an alias to translate the internal IP of the DNS server to
the external for users inside the firewall trying to reach the DNS server.
If that is your case, try looking up alias commands.  Otherwise, it's all
enabled outbound unless access-list commands are enabled from inside -> DMZ.


- Original Message -
From: "Godswill HO" 
To: 
Sent: Saturday, January 26, 2002 9:43 PM
Subject: Re: PIX % DNS Doctoring [7:1]


> Hi,
>
> It really depends on what you want to do or implement for the DNS. The DNS
> guard on PIX is enabled by default and it cannot be disabled not
configured.
> It help to prevent against DoS attacks by tearing down the UDP conduit on
> the PIX firewall as soon as the DNS response is received not waiting until
> thee the default UDO timer has expire which is 2 minutes( almost an
eternity
> in the computer world).
>
> The other doctoring you can do on DNS is on CBAC (Context Based Access
> Control). Here you can alter the default DNS timeout which is 5 seconds by
> using:
>
> #IP inspect dns-timeout
>
> It simplyly specifies the length of time a DNS name lookup session will
> still be managed after no activity.
>
> In case you need further help, feel free to ask specific questions.
>
> Regards.
> Oletu
>
> - Original Message -----
> From: Dante Martins
> To:
> Sent: Saturday, January 26, 2002 4:58 PM
> Subject: PIX % DNS Doctoring [7:1]
>
>
> > Somebody knows how to do DNS doctoring on PIX
> > I have the DNS on DMZ with static and the clients workstations are on
> > inside interface.
> > Dante
> >
> >
> > 
> > This email has been scanned for all viruses by the MessageLabs service.
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33347&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

2002-01-26 Thread Godswill HO


Hi,

It really depends on what you want to do or implement for the DNS. The DNS
guard on PIX is enabled by default and it cannot be disabled not configured.
It help to prevent against DoS attacks by tearing down the UDP conduit on
the PIX firewall as soon as the DNS response is received not waiting until
thee the default UDO timer has expire which is 2 minutes( almost an eternity
in the computer world).

The other doctoring you can do on DNS is on CBAC (Context Based Access
Control). Here you can alter the default DNS timeout which is 5 seconds by
using:

#IP inspect dns-timeout 

It simplyly specifies the length of time a DNS name lookup session will
still be managed after no activity.

In case you need further help, feel free to ask specific questions.

Regards.
Oletu

- Original Message -
From: Dante Martins 
To: 
Sent: Saturday, January 26, 2002 4:58 PM
Subject: PIX % DNS Doctoring [7:1]


> Somebody knows how to do DNS doctoring on PIX
> I have the DNS on DMZ with static and the clients workstations are on
> inside interface.
> Dante
>
>
> 
> This email has been scanned for all viruses by the MessageLabs service.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33342&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX % DNS Doctoring [7:33331]

2002-01-26 Thread Dante Martins


Somebody knows how to do DNS doctoring on PIX 
I have the DNS on DMZ with static and the clients workstations are on
inside interface. 
Dante



This email has been scanned for all viruses by the MessageLabs service.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

RE: PIX % DNS Doctoring [7:33331]

RE: PIX % DNS Doctoring [7:33331]

Re: PIX % DNS Doctoring [7:33331]

RE: PIX % DNS Doctoring [7:33331]

PIX % DNS Doctoring [7:33331]

RE: PIX % DNS Doctoring [7:33331]

Re: PIX % DNS Doctoring [7:33331]

Re: PIX % DNS Doctoring [7:33331]

Re: PIX % DNS Doctoring [7:33331]

PIX % DNS Doctoring [7:33331]

11 matches

Site Navigation

Mail list logo

Footer information