1. Home
  2. Cisco Systems
  3. DNS Doctoring with PIX

DNS Doctoring with PIX

I have upgraded to PIX 6.3(4) and I am trying to use the DNS command in my STATIC to access my inside server via domain name. I do not use an internal DNS server.

My question is, am I missing some other command, sysopt or fixup to make this work? The static I have does work for outside-inside traffic, but still does not 'doctor' the DNS inquiries for inside use. I do have the fixup protocol dns maximum-length 512 statement. There really isn't a lot of info on using this command in a static. I know there is an alias command, but I only have one IP address that I need to forward to two servers (mail/web), and its my understanding that alias has to be a one-to-one ratio (no port, only IP). Any help would be greatly appreciated. I am sure I am missing something stupid.

Here is my current static:

static (inside,outside) tcp x.y.z.37 www 192.168.1.1 www dns netmask

255.255.255.255 0 0
Reply to
Dan Rice
Loading thread data ...

In article , Dan Rice wrote: :I have upgraded to PIX 6.3(4) and I am trying to use the DNS command in my :STATIC to access my inside server via domain name. I do not use an internal :DNS server.

I happened to notice in the command reference today some lines indicating that if you had an outside name server that needed to transfer information to inside, that DNS doctoring would not work if you were using PAT.

I was unclear to me from the wording whether it was saying that DNS fixups for data from external servers were incompatible with PAT, or if it was obliquely saying that if you were trying to do a DNS Zone transfer pushed from the outside that you couldn't use PAT because the inside DNS server wouldn't be reachable.

Reply to
Walter Roberson

Is that a nice way of telling me I am SOL?

Reply to
Dan Rice

The command reference also shows a 'DNS' entry for the NAT command, but doesn't really give any information pertaining to its use other than "Specifies to use the created translation to rewrite the DNS address record."

Reply to
Dan Rice

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.