Configure Advanced Protocol Inspection
DNS inspection

The PIX Security Appliance knows that Domain Name System (DNS) queries are a one request, one answer conversation, so the connection slot is released immediately after a DNS answer is received. When the DNS A record is returned, the PIX applies address translation not only to the destination address, but also to the embedded IP address of the web server . This address is contained in the user data portion of the DNS reply packet. As a result, a web client on the inside network gets the address it needs to connect to the web server on the inside network. Prior to PIX Security Appliance Software Version 6.2, the PIX translated the embedded IP address with the help of the alias command. In PIX Security Appliance Software Version 6.2 or later, the PIX has full support for NAT of embedded IP addresses within a DNS response packet.

DNS Record Translation
The PIX Security Appliance features full support for NAT of DNS messages originating from either inside or outside interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A record is translated correctly. It is no longer necessary to use the alias command to perform DNS doctoring.

In Figure , the client on the inside network issues an HTTP request to server 10.0.0.10, using the hostname cisco.com. The PIX Security Appliance translates the non-routable source address of the web client in the IP header and forwards the request to the DNS server on its outside interface. When the DNS A record is returned, the PIX applies address translation not only to the destination address, but also to the embedded IP address of the web server. This address is contained in the user data portion of the DNS reply packet. As a result, the web client on the inside network gets the address it needs to connect to the web server on the inside network. NAT of DNS messages is implemented in both the nat and static commands.


Lab Activity

Lab Exercise: Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

In this lab, the student will complete the objective of configuring three PIX interfaces and configure access through the PIX Security Appliance.