Search Again: Re: New WAN setup ??s From: Men & Mice Support Date: Tuesday, May 15, 2001 Time: 6:05:40 pm Hopefully someone with experience with PIX firewalls will chime in here, but here goes... At 4:16 PM -0700 5/14/01, Seth Long wrote: >Ok, I'm setting up my server farm for my shiny new WAN and I need some DNS >advice. > >The plan is to sit my servers (www, ftp, mail, etc.) behind the PIX firewall >along with my internal DNS servers and have them all running on internal IP >addresses (10.0.0.x). The PIX box will route Internet traffic to the >appropriate internal address for me. I want to provide primary DNS services >for my domain so do I need to have the primary box sitting outside the >firewall in a DMZ? Or can I let the PIX resolve the real IP and the internal >IP for the DNS box and let the DNS point to the real IPs (which, of course, >will route right back to the internal ones once the traffic returns to the >PIX)? Most likely, you can use internal addresses for your DNS servers. However, there is the issue of local NAT (aka 2-way NAT). If your firewall doesn't support this (most don't), then internal workstations won't be able to find internal servers (DNS, web, or mail) using the public IP addresses. >Ultimately the question is: do I need to spring for the extra ethernet port >on the PIX box to create the DMZ? If the PIX firewall doesn't support local NAT, then the DMZ is probably the cheapest workaround you'll find. Another workaround is to set up a second, internal-only DNS server. This would require a second actual machine, along with the software for a second DNS server. ____________________________________________________________________ Chris Buxton Men & Mice cbuxton@menandmice.com We Make DNS Easy!

Messages In This Thread: New WAN setup ??s by Seth Long on May 14, 2001 at 4:17:35 pm Re: New WAN setup ??s by Men & Mice Support on May 15, 2001 at 6:05:40 pm Re: New WAN setup ??s by Jim Cobb on May 15, 2001 at 7:25:49 pm Re: New WAN setup ??s by Seth Long on May 16, 2001 at 10:05:11 pm