| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] DNS / NAT / FW-1 vs PIX
We've all seen many discussions on this list with regards to using split dns. Putting the strictly security discussion aside for a minute, one of the reasons for this is to address NAT and having to report different IP address to different users for the
same hostname. It has been brought to my attention that the CISCO PIX firewall has the capability to rewrite dns query responses to reflect translated addresses and that in some cases this may eliminate the need for split dns. Has anyone had any experience
with this and would anyone care to comment on how one might accomplish it in a FW-1 environment? Here is a snip from the Cisco documentation:
Usage Guidelines
The alias command translates one address into another. Use this
command to prevent conflicts when you have IP addresses on a
network that are the same as those on the Internet or another
intranet. You can also use this command to do address
translation on a destination address. For example, if a host
sends a packet to 204.31.17.1, you can use alias to redirect
traffic to another address, such as, 192.150.50.42.
After changing or removing an alias statement, use the clear
xlate command. If the previous condition persists, save your
configuration with the write memory command and then reboot the
PIX Firewall.
There must be an A (address) record in the DNS zone file for
the "dnat" address in the alias command.
The no alias command disables a previously set alias statement.
The show alias command displays alias statements in the
configuration.
The alias command automatically interacts with DNS servers on
your network to ensure that domain name access to the aliased
IP address is handled transparently.
You can specify a net alias by using network addresses for the
foreign_ip and dnat_ip IP addresses. For example, alias
10.1.1.0 204.31.17.0 255.255.255.0 creates aliases for each IP
address between 204.31.17.1 and 204.31.17.254.
Examples
1. In this example, an inside network uses IP address
192.159.1.33, which on the Internet belongs to domain.com. When
inside clients try to access domain.com, the packets do not go
to the firewall because the client thinks 192.159.1.33 is on
the local inside network. To correct this, a net alias is
created as follows with the alias command:
alias (inside) 192.168.1.0 192.159.1.0
show alias
alias 192.168.1.0 192.159.1.0 255.255.255.0
When client 192.159.1.123 connects to domain.com, the DNS
response from an external DNS server to the internal client's
query would be altered by the PIX Firewall to: 192.168.1.33. If
the PIX Firewall uses 204.31.17.1 through 204.31.17.254 as the
global pool IP addresses, the packet goes to the PIX Firewall
with SRC=192.159.1.123 and DST=192.168.1.33. The PIX Firewall
translates it to SRC=204.31.17.254 and DST=192.159.1.33 on the
outside.
2. In this example, a web server is on the inside at 10.1.1.11
and a static for it at 204.31.17.11. The source host is on the
outside with address 192.150.50.7. A DNS server on the outside
has a record for www.caguana.com as follows:
www.caguana.com.
IN
A
204.31.17.11
The period at the end of the www.caguana.com. domain name must
be included.
The alias command is:
alias 10.1.1.11 204.31.17.11 255.255.255.255
PIX Firewall doctors the nameserver replies to 10.1.1.11 for
inside clients to directly connect to the web server.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
