how to setup dns server behind a pix firewall cont.?

how to setup dns server behind a pix firewall cont.?

Post by Giggle » Tue, 25 Jun 2002 13:15:35



So If I understand this correctly I can get away with one dns server outside
our network.  We are currently using a company for our dns service.  So my task
involves the following steps:
1.  Tell the company that provides us the dns service to point to 209.249.57.3
for
our www.xyz.com.Lets suppose that dns server for that company has the ip
a.b.c.d
2.  Then since my PIX inside interface has the ip address of 192.100.100.1
issue the command alias 192.100.100.1 a.b.c.d     255.255.255.255
3.  Then have our internal client machines point to 192.100.100.1 for dns
queries.

Thanks for any help.
Teresa

 
 
 

how to setup dns server behind a pix firewall cont.?

Post by chri » Tue, 25 Jun 2002 13:35:35


Here you go:

http://www.cisco.com/warp/public/110/alias.html#int


> So If I understand this correctly I can get away with one dns server
outside
> our network.  We are currently using a company for our dns service.  So my
task
> involves the following steps:
> 1.  Tell the company that provides us the dns service to point to
209.249.57.3
> for
> our www.xyz.com.Lets suppose that dns server for that company has the ip
> a.b.c.d
> 2.  Then since my PIX inside interface has the ip address of 192.100.100.1
> issue the command alias 192.100.100.1 a.b.c.d     255.255.255.255
> 3.  Then have our internal client machines point to 192.100.100.1 for dns
> queries.

> Thanks for any help.
> Teresa



 
 
 

how to setup dns server behind a pix firewall cont.?

Post by James Hageman » Tue, 25 Jun 2002 13:37:49


I still like the idea of public and private DNS. I have had times when
my outside connection has gone down (it rains, it goes down) and our
clients can still get to the Intranet Web site (private DNS is on the up
side of the PIX).

But, 90% of our traffic is Intranet, and not Internet.

I can also supply private and secured web systems to our users, and
without the public translation, no one else sees it (our network status
is a web page hosted on the private side).


> Here you go:

> http://www.cisco.com/warp/public/110/alias.html#int



> > So If I understand this correctly I can get away with one dns server
> outside
> > our network.  We are currently using a company for our dns service.  So my
> task
> > involves the following steps:
> > 1.  Tell the company that provides us the dns service to point to
> 209.249.57.3
> > for
> > our www.xyz.com.Lets suppose that dns server for that company has the ip
> > a.b.c.d
> > 2.  Then since my PIX inside interface has the ip address of 192.100.100.1
> > issue the command alias 192.100.100.1 a.b.c.d     255.255.255.255
> > 3.  Then have our internal client machines point to 192.100.100.1 for dns
> > queries.

> > Thanks for any help.
> > Teresa


 
 
 

how to setup dns server behind a pix firewall cont.?

Post by chri » Tue, 25 Jun 2002 23:01:34


Absolutely the best solution is split-dns, but if all they are concerned
about is getting to their public website by FQDN, then the alias will work.
If you have intranets, etc then I would require additional dns servers.

Chris


> I still like the idea of public and private DNS. I have had times when
> my outside connection has gone down (it rains, it goes down) and our
> clients can still get to the Intranet Web site (private DNS is on the up
> side of the PIX).

> But, 90% of our traffic is Intranet, and not Internet.

> I can also supply private and secured web systems to our users, and
> without the public translation, no one else sees it (our network status
> is a web page hosted on the private side).


> > Here you go:

> > http://www.cisco.com/warp/public/110/alias.html#int



> > > So If I understand this correctly I can get away with one dns server
> > outside
> > > our network.  We are currently using a company for our dns service.
So my
> > task
> > > involves the following steps:
> > > 1.  Tell the company that provides us the dns service to point to
> > 209.249.57.3
> > > for
> > > our www.xyz.com.Lets suppose that dns server for that company has the
ip
> > > a.b.c.d
> > > 2.  Then since my PIX inside interface has the ip address of
192.100.100.1
> > > issue the command alias 192.100.100.1 a.b.c.d     255.255.255.255
> > > 3.  Then have our internal client machines point to 192.100.100.1 for
dns
> > > queries.

> > > Thanks for any help.
> > > Teresa


 
 
 

how to setup dns server behind a pix firewall cont.?

Post by Giggle » Wed, 26 Jun 2002 13:10:29


Thank you everyone for your help.  We had an outside isp providing our dns
service.  We had our internal clients point to that dns service.  That made
internal clients able to do dns lookups over the internet browser.  For the
clients to see the internal webserver by it's external ip address we issued the
alias command and we used sysopt noproxyarp command.  There is an excellent
article on the cisco site regarding to this issue.
http://www.cisco.com/warp/public/110/alias.html