"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."
Assume a network topology is like this:
A PIX with 3 interfaces:
inside interface (private static IP of 10.10.10.1)
outside interface (public static IP of 22.214.171.124)
DMZ interface (private static IP of 126.96.36.199)
1)Will the above said "reverse DNS entries" apply to this case?
2)If not, in what circumstances will the "reverse DNS entries" apply?
What they are trying to say is if you have a NAT pool or are doing PAT, then put an "A" record in DNS. When you hit some sites for FTP or in my experience if a site is using the IDENT protocol, the site will do a reverse lookup on your IP address.
For example, lets say that you are using PAT, so that all of your internal users look like 188.8.131.52 or the outside interface of your PIX to the outside world. Then the recommendation would be to put an "A" record in dns that maps 184.108.40.206 to nat01.mycompany.com or whatever you want.
In the above example when your users hit a website that is using the ident protocol or an ftp site, the site will do a reverse dns lookup on ip address 220.127.116.11 and receieve nat01.mycompany.com and in theory everyone will be happy.
Hope this helps. Let me know if anything is unclear.
I just wanted to make a correction to my original post. I inadvertently told you to create an "A" record. You need to create a "ptr" record. The idea is the exact same which is the fact that when you hit the website / ftp site it will do a reverse dns lookup to map your ip address to a hostname.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :