inside interface (private static IP of 10.10.10.1)
outside interface (public static IP of 18.104.22.168)
DMZ interface (private static IP of 22.214.171.124)
The internal clients (private static IP of 10.10.10.3 - 10.10.10.30) is located in the internal LAN
Allow all the internal (LAN) computers 10.10.10.0 255.255.255.0 to access to the outside (internet and others). PAT will be applied to the internal (LAN) computers 10.10.10.0 255.255.255.0 for using the same and only public static IP of 126.96.36.199.
"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."
It indicates that it is the global addresses pool that requires the reverse DNS entries. In my case, however, there is only one public static IP 188.8.131.52. In this case, do I need to do the reverse DNS entries? Or the above statement does not apply to my case?
Scott, the statement dosent apply to your application.
Your config is probably something like:
NAT (inside) 1 0 0
Global (outside) 1 interface
So any inside address gets PAT'ed to the interface address on the outside of the PIX.
Reverse DNS is used when you use an external DNS server to resolve DNS queries for hosts on your inside network. Also the configuration is only appropriate when your using static NAT translations to map an outside address to an inside address.
EG serverA on the inside, 10.1.1.1, outside address 184.108.40.206
If a PC on your inside network queries an external DNS for the address of serverA it would usually be given an external address, in this case 220.127.116.11
Your PC tries to connect to 18.104.22.168, but it would be better if the DNS reply was altered to the actual inside address of the serverA.
Hope that's a bit clearer, you dont need it anyway.
Thanks for the response. Then how about there is web server located in the DMZ and will allow any outside hosts to access the web server, by first quest the external DNS -->outside (PIX) -->DMZ (PIX)-->web server (in dmz zone).
In this case, will the "reverse DNS entries" stated in previous question, apply?
If not, in what circumstances will the "reverse DNS entries" apply?
I've misled you here, I was on about something completely different, DNS doctoring which modifies DNS replies passing back through the PIX.
You will need the PTR records setting up, but this is done on your DNS server, its used for authentication checks.
What happens is that when your internal PC connects to an external server, that server runs a reverse DNS lookup to check that the IP address of the PC maps to a valid DNS domain.
When the DNS record (called A record) is created the PTR record should be created at the same time, but that's not always the case. So you connect to an FTP site, the site runs a revers DNS check which fails due a missing PTR record and your connection fails.
So yes you need your ISP to configure a PTR record on the DNS server they host mapping your DNS domain to the address or addresses you use for PAT.
Thanks for response. But in my case, a web server is hosted in the DMZ. It is the outside/external clients that try to access to my web server. I mean, in this case, do I still need to do the Reverse DNS such as add a x.x.x.x.in-addr.arpa IN PTR xxxx to the DNS?
Based on my reading of the folks response, it seems not. But I am not so sure.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...