Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT and DNS reverse entries

Assume a network topology is like this:

A PIX with 3 interfaces:

inside interface (private static IP of 10.10.10.1)

outside interface (public static IP of 69.110.38.35)

DMZ interface (private static IP of 30.30.30.1)

The internal clients (private static IP of 10.10.10.3 - 10.10.10.30) is located in the internal LAN

TRY-TO-DO:

Allow all the internal (LAN) computers 10.10.10.0 255.255.255.0 to access to the outside (internet and others). PAT will be applied to the internal (LAN) computers 10.10.10.0 255.255.255.0 for using the same and only public static IP of 69.110.38.35.

The resouce: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9 states:

"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."

It indicates that it is the global addresses pool that requires the reverse DNS entries. In my case, however, there is only one public static IP 69.110.38.35. In this case, do I need to do the reverse DNS entries? Or the above statement does not apply to my case?

Thanks to help.

Scott

5 REPLIES
Silver

Re: PAT and DNS reverse entries

Scott, the statement dosent apply to your application.

Your config is probably something like:

NAT (inside) 1 0 0

Global (outside) 1 interface

So any inside address gets PAT'ed to the interface address on the outside of the PIX.

Reverse DNS is used when you use an external DNS server to resolve DNS queries for hosts on your inside network. Also the configuration is only appropriate when your using static NAT translations to map an outside address to an inside address.

EG serverA on the inside, 10.1.1.1, outside address 165.34.5.6

If a PC on your inside network queries an external DNS for the address of serverA it would usually be given an external address, in this case 165.34.5.6

Your PC tries to connect to 165.34.5.6, but it would be better if the DNS reply was altered to the actual inside address of the serverA.

Hope that's a bit clearer, you dont need it anyway.

Andy

New Member

Re: PAT and DNS reverse entries

Thanks for the response. Then how about there is web server located in the DMZ and will allow any outside hosts to access the web server, by first quest the external DNS -->outside (PIX) -->DMZ (PIX)-->web server (in dmz zone).

In this case, will the "reverse DNS entries" stated in previous question, apply?

If not, in what circumstances will the "reverse DNS entries" apply?

Thanks to help.

Scott

Silver

Re: PAT and DNS reverse entries

Hi Scott,

I've misled you here, I was on about something completely different, DNS doctoring which modifies DNS replies passing back through the PIX.

You will need the PTR records setting up, but this is done on your DNS server, its used for authentication checks.

What happens is that when your internal PC connects to an external server, that server runs a reverse DNS lookup to check that the IP address of the PC maps to a valid DNS domain.

When the DNS record (called A record) is created the PTR record should be created at the same time, but that's not always the case. So you connect to an FTP site, the site runs a revers DNS check which fails due a missing PTR record and your connection fails.

So yes you need your ISP to configure a PTR record on the DNS server they host mapping your DNS domain to the address or addresses you use for PAT.

There are no changes to make on the PIX.

Andy

New Member

Re: PAT and DNS reverse entries

Thanks for response. But in my case, a web server is hosted in the DMZ. It is the outside/external clients that try to access to my web server. I mean, in this case, do I still need to do the Reverse DNS such as add a x.x.x.x.in-addr.arpa IN PTR xxxx to the DNS?

Based on my reading of the folks response, it seems not. But I am not so sure.

Thanks to help.

Scott

Silver

Re: PAT and DNS reverse entries

Your reading is correct, there is no need to set up the reverse DNS entry in this case as the external users query their DNS servers for the IP addresses mapped to the URL of your web server.

They then connect to that IP address.

No need for reverse DNS here.

131
Views
4
Helpful
5
Replies