Re: Cisco PIX 501: Can't ping global IP-Adress from NATed IP

In article <op.s82dvexp7mx1hz@localhost>,
Michael Schuberl <cisco_pix@xxxxxxxx> wrote:

Well there already is a DNS on that network, will that be sufficient?
Will the PIX be able to translate the lookup-requests then and substitute
the external for the internal adress? (that "alias"-thing, right?)
To my mind, the DNS resolves the request to the external IP. Therefore,
the client will again try to communicate with that address and the PIX
would still not able to translate that IP to the internal IP.

Have the internal DNS server hand out the internal address, and
on the 'static' statement for the server, add the 'dns' keyword. Then
when -external- hosts do a query, the PIX will translate the
internal IP to the external IP as the DNS response goes out of the
network.

The reason why I didn't want to set up an DNS is my lack of experience
with such services and it seems that some costume software we use simply
isn't using the gethostbyname() function and is therefor doomed to use IPs.

If the software can be configured to use the internal IPs for the
servers, then configure the DNS and static as noted above and everything
will be fine. [If the software is also used from outside your LAN,
then configure the external hosts to use the public IP.]

My task is to put that PIX infront of the nodes. The first thing I learned
back then was: it is not possible to force the PIX to behave in a
transparent way (e.g. just filter and foreward the traffic for
x.x.x.0-x.x.x.15 - without NAT), or did I configure something wrong?

The PIX 501 is fine with using the same address internally and externally.
The catch is that the two interfaces cannot have the same IP subnet,
so the external interface must be part of a different subnet and
your WAN router must route the public range to to the IP address
of the external interface. This is often done by arranging a
"carrier network" with your ISP -- a distinct /30 or /29 network that is
there just to allow your WAN equipment to talk to the ISP so
that the ISP can route the main network to you.
.

Relevant Pages

  • Re: PIX all of a sudden cant handle dns traffic
    ... CSCsc61300 CPU increases with high volume of DNS requests using same ... SIP: PIX does not parse the expire value in Register 6.3.5.104/ ...
    (comp.dcom.sys.cisco)
  • Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
    ... on the 'static' statement for the server, add the 'dns' keyword. ... of the external interface. ... PIX in general can have ...
    (comp.dcom.sys.cisco)
  • Re: Internet Access and external email problems
    ... and that the existing DNS server on my SBS server ... I have spent all weekend long having to reset the PIX remotely as it goes up ... and when I did the internet connectivity was restored. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Win 2003 and PIXen
    ... request the latest PIX OS v6.3 build. ... Builds starting with PIX 6.3100 have included ... Depding on your specific needs you can simply disable the DNS Guard feature ...
    (Firewall-Wizards)
  • Re: SMTP authentification
    ... >> TCPware and Multinet are stacks, PMDF runs on top of any stack. ... only if my.home itself doesn't translate to an IP address. ... > question to the DNS! ... SMTP server on a dynamic IP is a bad idea---because some mail servers ...
    (comp.os.vms)