[c-nsp] Nto1 outside translations with PIX ?

[Armin Wies]

Hi Gert,

thank you for your reply.

On Tue, 22 Feb 2005 15:22:34 +0100, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
> 
> On Tue, Feb 22, 2005 at 11:21:39AM +0100, Armin Wies wrote:
> [..]
> > Now what happens if the DNS-query is sent to B ?
> > Again it will be forwarded to the server, the server sends an answer,
> > sees G and will decide for the interface X to send the packet.
> 
> If the software replies to an incoming query with a source address
> that doesn't match the destination address of the query, the software
> is broken and needs fixing.
> 
> (Besides this, I'm pretty sure that recent BINDs on Unix (at least) will
> handle this correctly, as the UDP response packet is not just passed
> to the OS to "pick a convenient source address", but BIND takes great
> care to make sure that the corret source address is used for all packets.

Gert, you are absolutely right and I was mistaken in this assumption.

> Watch out that you don't nail BIND to a specific source via named.conf)

I never wanted to do that, that's what the whole story is about ;-)

I did some packet-debugging on the PIX and I could see, that the
packets originate from "the right" inside server address, but are
masked to only one of the outside addresses.

To me this looks not logical at all, and I don't yet understand what's
happening there.
In fact, the only thing we have about this server in the config (apart
from the conduits (I know ...)) are these two statics.

I have no idea, why they are only masked with one of the outside addresses.


Best regards,
Armin