Search Again: Re: New WAN setup ??s From: Jim Cobb Date: Tuesday, May 15, 2001 Time: 7:25:49 pm What you are looking for is a setting for one-to-one NAT which will = establish a static route between an ip address on the inside of your = firewall with a "real" address on the outside. The problem is latencey = issues because your firewall has to keep track of quite a few packets = which would have nothing to do with actual LAN-WAN traffic. You really = want to go the DMZ route for best performance for both your WAN servers = and your LAN users. If you really want to be secure do what Chris says = here and have a public DNS server so hackers cannot figure out whats in = your LAN via DNS lookups. But then this can also create issues with VPN = clients, if you are doing that sort of thing. --=20 James Cobb Network Manager LifeNet 5809 Ward Court Virginia Beach, VA 1-800-TISSUE-1 On Tuesday, May 15, 2001 9:04 PM, Men & Mice Support <cbuxton@menandmice.= com> wrote: >Hopefully someone with experience with PIX firewalls will chime in=20 >here, but here goes... > >At 4:16 PM -0700 5/14/01, Seth Long wrote: >>Ok, I'm setting up my server farm for my shiny new WAN and I need some = DNS >>advice. >> >>The plan is to sit my servers (www, ftp, mail, etc.) behind the PIX = firewall >>along with my internal DNS servers and have them all running on internal = IP >>addresses (10.0.0.x). The PIX box will route Internet traffic to the >>appropriate internal address for me. I want to provide primary DNS = services >>for my domain so do I need to have the primary box sitting outside the >>firewall in a DMZ? Or can I let the PIX resolve the real IP and the = internal >>IP for the DNS box and let the DNS point to the real IPs (which, of = course, >>will route right back to the internal ones once the traffic returns to = the >>PIX)? > >Most likely, you can use internal addresses for your DNS servers.=20 >However, there is the issue of local NAT (aka 2-way NAT). If your=20 >firewall doesn't support this (most don't), then internal=20 >workstations won't be able to find internal servers (DNS, web, or=20 >mail) using the public IP addresses. > >>Ultimately the question is: do I need to spring for the extra ethernet = port >>on the PIX box to create the DMZ? > >If the PIX firewall doesn't support local NAT, then the DMZ is=20 >probably the cheapest workaround you'll find. Another workaround is=20 >to set up a second, internal-only DNS server. This would require a=20 >second actual machine, along with the software for a second DNS=20 >server. >____________________________________________________________________ >Chris Buxton Men & Mice >cbuxton@menandmice.com We Make DNS >Easy! > >

Messages In This Thread: New WAN setup ??s by Seth Long on May 14, 2001 at 4:17:35 pm Re: New WAN setup ??s by Men & Mice Support on May 15, 2001 at 6:05:40 pm Re: New WAN setup ??s by Jim Cobb on May 15, 2001 at 7:25:49 pm Re: New WAN setup ??s by Seth Long on May 16, 2001 at 10:05:11 pm