DNS & PIX setup question

Wed Apr 13 12:59:08 UTC 2005

> >Background:
> >
> >I have two class B networks separated by a firewall. One network is public
> >(149.130/16) and the other is private (172.17/16). There's a pair of bind8
> >named's running on the 149.130 network which have no notion of the 172.17
> >network. Each server on the 172.17 network has a hosts file, and for
> everything
> >else they use the dns servers on the 149.130 network as their primary dns.
> (The
> >nsswitch.conf has hosts,dns for name resolution.)
> >
> >Plans:
> >
> >We're switching to a Cisco PIX firewall, and introducing the use of the
> Cisco
> >vpn client. Soon clients on the 149.130 network will connect via vpn to use
> >services in the 172.17 network, and thereby get a 172.17.x.x address for the
> >vpn adapter.
> >
> >Problem:
> >
> >The PIX needs to tell the vpn clients a dns server to use which resolves to
> >172.17 addresses where appropriate. I don't want to create a copy of our
> >existing dns servers behind the firewall, and keep both locations up-to-
> date.
> >Both networks think they are wellesley.edu (maybe that's my problem).
> >
> >Any ideas? I've tried about 6 or 8 theories, but I didn't want to cloud my
> >initial posting explaining them (and their failures) -- but I gladly will if
> >you're interested
> >
> I assume the VPN clients will be able to access 149.130/16 resources
> *and* 172.17/16 resources, right (?),

Yes

> so-called "split-tunnel",
> otherwise this is a fairly trivial problem (i.e. just point the VPN
> clients at a nameserver that serves only 172.17/16 addresses, since
> that's all they care about anyway).
> 
> I assume further that you have no option to segregate your 172.17/16
> resources by subdomain. If so, then that would also make the problem
> rather trivial -- just have the 149.130/16 nameservers serve the
> subdomain as a subzone, optionally with an "allow-query" that would only
> permit clients in the VPN address-pool range.

This is certainly the ultimate option, but I'm not in a position to cause this
pain and suffering to my dba's and sysadm's at the moment. :) (Several of the
servers on 172.17/16 are Oracle web servers, which apparently don't take kindly
to being renamed.)

> 
> If those options aren't available to you, then I don't see any way for
> you to avoid biting the bullet and having to maintain both 149.130/16
> and 172.17/16 data in at least one version of the wellesley.edu zone.
> You might be able to save yourself some maintenance headache by hosting
> the "VPN" version of the zone from the same nameserver instance as the
> "non-VPN" version, differentiating using the "view" feature, and then
> sharing the common data between views via an $INCLUDE file. But the
> bottom line is you would need duplicate some of the data in multiple
> places (nameservers, instances or views), and it sounds like that's
> exactly what you're trying to avoid...
> 
> - Kevin

Yeh, this is where I settled on just before I sent my original query out to
this list. Thanks for confirming it!

-Tim