In 6.2, DNS translation can be handled "automatically," without having to do "DNS doctoring" with the 'alias' command.
Let's say I have a DMZ server and a static with dns set up between the DMZ and the outside. The DNS server is on the outside. Users are on the inside. The DMZ uses private addresses.
When a user on the inside issues a DNS request for the DMZ server, the reply will contain the public address for the DMZ server. Does anyone know if the DNS reply will be translated by the PIX on its way back to the user?
The reason I ask is, the addresses that need to be translated are on the DMZ and the outside (which is taken care of by the 'static' command between the DMZ and the outside, so the PIX knows there's a translation taking place). It's just that the DNS requests and replies are coming from and going to the inside.
Any insight or experience would be sincerely appreciated!
This is normall handled by putting a DNS server on the inside network. That server is configured with the private addresses of the servers in the DMZ. All internal clients point to that server. The internal server is configured to either forward external requests to an external DNS server, or do the lookup itself.
If you are in an AD environment, any DC can be pointed to for DNS.
The only other way to get around this would be to put local host records on the clients, and that is ugly.
I appreciate the reply, but the PIX can handle the situation using the 'alias' command to do either "DNS doctoring" (target on the inside) or "destination NAT" (target on the DMZ) without having to maintain separate internal and external DNS servers.
The problem with using the 'alias' command is it can sometimes affect how related ACLs operate. So instead of painstakingly analyzing the 'alias'/ACL interactions, I thought I'd use the new DNS translation feature of the 'static' command...
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...