[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] DNS / NAT / FW-1 vs PIX
We've all seen many discussions on this list with regards to using split dns. Putting the strictly security discussion aside for a minute, one of the reasons for this is to address NAT and having to report different IP address to different users for the same hostname. It has been brought to my attention that the CISCO PIX firewall has the capability to rewrite dns query responses to reflect translated addresses and that in some cases this may eliminate the need for split dns. Has anyone had any experience with this and would anyone care to comment on how one might accomplish it in a FW-1 environment? Here is a snip from the Cisco documentation: Usage Guidelines The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 204.31.17.1, you can use alias to redirect traffic to another address, such as, 192.150.50.42. After changing or removing an alias statement, use the clear xlate command. If the previous condition persists, save your configuration with the write memory command and then reboot the PIX Firewall. There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command. The no alias command disables a previously set alias statement. The show alias command displays alias statements in the configuration. The alias command automatically interacts with DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently. You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 10.1.1.0 204.31.17.0 255.255.255.0 creates aliases for each IP address between 204.31.17.1 and 204.31.17.254. Examples 1. In this example, an inside network uses IP address 192.159.1.33, which on the Internet belongs to domain.com. When inside clients try to access domain.com, the packets do not go to the firewall because the client thinks 192.159.1.33 is on the local inside network. To correct this, a net alias is created as follows with the alias command: alias (inside) 192.168.1.0 192.159.1.0 show alias alias 192.168.1.0 192.159.1.0 255.255.255.0 When client 192.159.1.123 connects to domain.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to: 192.168.1.33. If the PIX Firewall uses 204.31.17.1 through 204.31.17.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=192.159.1.123 and DST=192.168.1.33. The PIX Firewall translates it to SRC=204.31.17.254 and DST=192.159.1.33 on the outside. 2. In this example, a web server is on the inside at 10.1.1.11 and a static for it at 204.31.17.11. The source host is on the outside with address 192.150.50.7. A DNS server on the outside has a record for www.caguana.com as follows: www.caguana.com. IN A 204.31.17.11 The period at the end of the www.caguana.com. domain name must be included. The alias command is: alias 10.1.1.11 204.31.17.11 255.255.255.255 PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|