Fixup protocol

Hi Frank,

You may wish to investigate Cisco's DNS Fixup:

Hope this helps.

Brad Reese

Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Power Supply Headquarters

If you use the alias command, then there are -two- effects, one having to do with changing the destination IP on -outgoing- packets, and the other having to do with rewriting DNS responses. One might want the IP destination rewriting without wanting the DNS rewriting; if so then you would turn off the DNS fixup.

If you are using PIX 6.2 or PIX 6.3, then using the 'alias' command is not encouraged, and the 'dns' keyword for the 'static' command is recommended instead. If you are not using 'alias' and you did not want DNS fixups to occur, you would normally just leave out the 'dns' keyword on the 'static'. It appears to me, though, that there is no equivilent to the 'dns' keyword for nat/global commands, so you might still need to disable the dns fixup for that case.

If you are using PIX 6.3, then the dns fixup also checks the length of DNS responses, to prevent buffer overflows. When you use 'no fixup protocol dns' then the length checks are not done, which might be important for you (especially if you want your users to be able to stream music or videos by using DNS requests to bypass restrictions on http accesses.)

Sorry, I do not understand that question ?