Non-routable addresses in the DMZ

Marty Enerson menerso at fallon.com
Thu Jul 15 18:50:52 UTC 1999 

What we had was a DMZ with non-routable addresses.  Then DNS was in that zone and had a
non-routable address.  The DNZ zone files were for the Internet and had basically two
addresses it was serving...the web server address and it's own address.  But the zone
files contained the routable addresses of the two machines since the only people using the
two machines would be on the Internet.  When I started BIND it said that it couldn't
resolv it's name because the port is bound to 192.168.40.10 but the DNS tables give a
routable number.

The only machines are in the DMZ are non-routable but the PIX gives them routable numbers.

1. yes
2. no, I have the routable number configured in the DNS files
3. yes, but not know (or care) what the non-routable numbers are.

I don't know about the "alias" command on the PIX.

We called CIsco and they were no help on how the DNS should be configured.  The DMZ works
great with either non-routable or routable addresses... but the DNS server is having the
prob.

Marty Enerson
I do stuff...

Michael Voight wrote:

> Marty Enerson wrote:
> >
> > I recently setup a Cisco PIX firewall with and 'inside", "outside", and "DMZ"
> > networks.  I split my DNS server to an internal and an external.  Our internal
> > network is using 192.168.xxx.xxx numbers and the DNS works fine.  My problem arose
> > when we setup non-routable addresses in the DMZ zone.  This is where our external DNS
> > server sits.  I gave the box and 192.168.xxx.xxx number.  The PIX gives it a routable
> > address.  The problem is that when I try to start BIND and it is just serving
> > routable addresses it wouldn't work going out on the EN card that had a non-routable
> > address bound to it.
>
> To clarify, are you saying the DNS server itself has a non routeable
> address or you have machines that you are in DNS without routable
> addresses? What exactly wouldn't work going out the EN card?
>
> Are the machines with the non routeable addresses on the DMZ or inside?
> It sounds like
>
> 1. your extermal DNS server is on the DMZ interface of the PIX
> 2. you have non routeable host configured on this DNS server
> 3. Are you expecting external machines to get the non routeable
> addresses??
> or are you using the PIX "alias" command to have the PIX translate the
> DNS response packet to the external people?
>
> A more detailed explanation is needed.
> or perhaps you want to open a PIX case with Cisco TAC
>
> Michael Voight
> Cisco TAC
> (Yes, I support CDDM, CNR, DD, and I USED to support PIX)

More information about the bind-users mailing list