Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX DNS/Hostname Blocking/Configuration

I started out on a mission to block instant messaging- (AIM, Yahoo, MSN)

To avoid an endless list of IP's, I was planning on blocking the login servers by DNS name. I soon discovered that our PIX cannot resolve any hostnames. It can ping to the outside world just fine, but it cannot ping any hostname, including itself. DNS server configuration seems to be a different beast altogether on PIX.

Am I missing something? How should I go about making this possible?

Thanks!

-Paul

Some brief info:

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.1(1)

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

  • Other Security Subjects
3 REPLIES
Silver

Re: PIX DNS/Hostname Blocking/Configuration

Hi Paul,

No, you are right.

Unlike router, you cannot configure PIX to use any DNS server for name ressolution. But, what you can do though is use the following command to name your ips:

name

So, if you define, name www.test.com 10.1.1.1 then you can ping this address by the www.test.com. No need to use the ip address.

But, defining a seperate dns server for name ressolution is not possible on the PIX Firewall.

I hope this answers your question. Thanks,

Mynul

New Member

Re: PIX DNS/Hostname Blocking/Configuration

I see. So what is the best way to deal with restricting access to DNS names that resolve to multiple and/or dynamic IP's?

Are there any alternatives to manually maintaining a host file/access list?

Thanks for your help!

-P

Silver

Re: PIX DNS/Hostname Blocking/Configuration

Hi,

The best and only solution is to use url filtering. You can filter the web traffic based on domain name, ip addresses or specific keyword etc...

Here is the a link that explains:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008c103.html#xtocid9

With the newer version of Pix code, this feature has been improved a lot. Please refer to the command reference of the version you are running. PIX can support web sense and N2H2 url filtering server.

Unlike NBAR feature on the router, PIX cannot do similiar things like packet marking and dropping rather it relies on external web filtering servers like Web Sense or N2H2.

I hope this helps ! Thanks,

Mynul

185
Views
0
Helpful
3
Replies
This widget could not be displayed.