Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT and DNS reverse entries

Assume a network topology is like this:

A PIX with 3 interfaces:

inside interface (private static IP of

outside interface (public static IP of

DMZ interface (private static IP of

The internal clients (private static IP of - is located in the internal LAN


Allow all the internal (LAN) computers to access to the outside (internet and others). PAT will be applied to the internal (LAN) computers for using the same and only public static IP of

The resouce: states:

"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."

It indicates that it is the global addresses pool that requires the reverse DNS entries. In my case, however, there is only one public static IP In this case, do I need to do the reverse DNS entries? Or the above statement does not apply to my case?

Thanks to help.



Re: PAT and DNS reverse entries

Scott, the statement dosent apply to your application.

Your config is probably something like:

NAT (inside) 1 0 0

Global (outside) 1 interface

So any inside address gets PAT'ed to the interface address on the outside of the PIX.

Reverse DNS is used when you use an external DNS server to resolve DNS queries for hosts on your inside network. Also the configuration is only appropriate when your using static NAT translations to map an outside address to an inside address.

EG serverA on the inside,, outside address

If a PC on your inside network queries an external DNS for the address of serverA it would usually be given an external address, in this case

Your PC tries to connect to, but it would be better if the DNS reply was altered to the actual inside address of the serverA.

Hope that's a bit clearer, you dont need it anyway.


New Member

Re: PAT and DNS reverse entries

Thanks for the response. Then how about there is web server located in the DMZ and will allow any outside hosts to access the web server, by first quest the external DNS -->outside (PIX) -->DMZ (PIX)-->web server (in dmz zone).

In this case, will the "reverse DNS entries" stated in previous question, apply?

If not, in what circumstances will the "reverse DNS entries" apply?

Thanks to help.



Re: PAT and DNS reverse entries

Hi Scott,

I've misled you here, I was on about something completely different, DNS doctoring which modifies DNS replies passing back through the PIX.

You will need the PTR records setting up, but this is done on your DNS server, its used for authentication checks.

What happens is that when your internal PC connects to an external server, that server runs a reverse DNS lookup to check that the IP address of the PC maps to a valid DNS domain.

When the DNS record (called A record) is created the PTR record should be created at the same time, but that's not always the case. So you connect to an FTP site, the site runs a revers DNS check which fails due a missing PTR record and your connection fails.

So yes you need your ISP to configure a PTR record on the DNS server they host mapping your DNS domain to the address or addresses you use for PAT.

There are no changes to make on the PIX.


New Member

Re: PAT and DNS reverse entries

Thanks for response. But in my case, a web server is hosted in the DMZ. It is the outside/external clients that try to access to my web server. I mean, in this case, do I still need to do the Reverse DNS such as add a IN PTR xxxx to the DNS?

Based on my reading of the folks response, it seems not. But I am not so sure.

Thanks to help.



Re: PAT and DNS reverse entries

Your reading is correct, there is no need to set up the reverse DNS entry in this case as the external users query their DNS servers for the IP addresses mapped to the URL of your web server.

They then connect to that IP address.

No need for reverse DNS here.