03-25-2005 01:47 PM - edited 03-05-2019 11:28 AM
Our Main Office is in New York city and the DNS is physically located in Boston, across a Frame Relay circuit. The PIX firewall happens to be in the same location as the DNS, When a user in New York accesses a WEB site (www.cisco.com),it generates a request to the DNS in Boston for resolution. My question is, does the reply have to come back to the same user by definition or can it be routed out the PIX in Boston without first going back to the requestor?
Thanks.
Solved! Go to Solution.
03-25-2005 10:05 PM
Examining in detail what has to happen should answer your question.
The DNS lookup, and the connection to the website are 2 separate connections. First the PC connects to DNS to get the IP address, then connects to the Web site. I have omitted the PIX from the following steps, it simply protects your inside network, and does an address translation that doesn't change the basics.
1. User clicks on ciso.com link.
2. User's PC sends UDP port 53 DNS request to DNS server to resolve the name cisco.com.
3. DNS server responds to PC with UDP port 53 response resolving cisco.com to IP address 198.133.219.25.
4. PC sends TCP port 80 SYN packet to 198.133.219.25 to initiate HTTP session.
5. Cisco Web server at 198.133.219.25 responds with a SYN ACK to PC.
6. PC sends an ACK, and the session begins.
03-25-2005 10:05 PM
Examining in detail what has to happen should answer your question.
The DNS lookup, and the connection to the website are 2 separate connections. First the PC connects to DNS to get the IP address, then connects to the Web site. I have omitted the PIX from the following steps, it simply protects your inside network, and does an address translation that doesn't change the basics.
1. User clicks on ciso.com link.
2. User's PC sends UDP port 53 DNS request to DNS server to resolve the name cisco.com.
3. DNS server responds to PC with UDP port 53 response resolving cisco.com to IP address 198.133.219.25.
4. PC sends TCP port 80 SYN packet to 198.133.219.25 to initiate HTTP session.
5. Cisco Web server at 198.133.219.25 responds with a SYN ACK to PC.
6. PC sends an ACK, and the session begins.
03-26-2005 08:37 AM
Hello,
very nice explanation, thanks ! Worth keeping in mind whenever somebody has connectivity problems with websites...
GP
03-26-2005 10:11 AM
Thanks for your very insightfull response. So, now that the PC needs to send a packet with the destination address of 198.133.219.25, it will be routed to the inside int of the PIX, which will be taken care of by the default route. When this packet arrives at the PIX, what will be in its destination address field, the 198.133.219.25 or the address of the defaul route?
thanks again.
03-26-2005 04:09 PM
Unless there is NAT involved, the source and destination IP addresses (layer 3) of a packet do not change as they pass through a network. The default route determines the next hop and the layer 2 address that will be used to build the frame that will be sent on. Each router (or PIX) in the path performs the same function of rebuilding the frame with the next hop layer 2 address. The layer 2 address may be an Ethernet MAC address, serial PPP or HDLC address, ATM or frame relay-- whatever type of link is being used.
03-28-2005 02:17 PM
Thanks again for your explanation - I really appreciate your very detailed and "right on the money" responses. Since you have mentioned NAT, I was wondering if I could take the liberty to ask a related question. This customer also mentioned that in the future, he wanted to NAT all the Internet traffic. So, I have created an isolated VLAN, configured a static NAT statement for the DNS in both, NY and Boston and created static routes to the DNS. Here is my dilemma: once the address is resolved and the PC is sending the packet to 198.133.219.25 to initiate HTTP session, how do I push it to the inside int of the PIX?
Thanks again
03-28-2005 06:48 PM
once the traffic is coming from outside..
I think you can set a command in the pix as
route inside 0.0.0.0 0.0.0.0 and your local interface that is connected to your lan.
It should work...........
If someone has some more good suggestions pls share i also wants to see..
Thanks
03-29-2005 06:38 AM
The question is really like this: I have to use the inside interface of the PIX as my default route (let's say 10.60.3.4) for all the traffic in NY. At the same time, the inside int of the PIX has a private address that is different from this default route address. So, do I change the inside int of the PIX to the default route (10.60.3.4) or is there a way I could NAT that inside int. If there's a way, what is it?
Thanks
Thanks again.
04-07-2005 02:09 AM
You should indeed configure the pix to perform NAT.
This is done with an acl specifying which source adresses to process, and a nat & global command as below:
nat (inside) 1 acl
global (outside) 1
ip routing basically only requires a default route pointing to the outside next-hop router.
Regards,
Leo
03-27-2005 11:37 PM
This is what i think, if i am wrong please let me know..........
Let me start from the basics...
Two types of addresses, routable (Public ip's), non-routable(Private ip's).
If i am in a lan and using private ip...then the packet cannot reach to internet. That's why we do the nat/pat on pix/router. lets assume private ip 192.168.10.1
If this is the case then, packet will reach to router/pix with SA 192.168.10.1 and DA 198.133.219.25.
Router/PIX will check the nat/pat and remove the 192.168.10.1 SA and will add the SA as it's added performed....
Then this address will forwrd to next device and will lookup the L2 address and will go on..
If's the ip is routable...
And no nat/pat involves then it's the SA will be same and DA will be same.
04-15-2005 06:31 AM
David, does this paradigm change is there's a proxy server involved?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide