Am 13.06.2014 12:20, schrieb Reuben Farrelly: > On 13/06/2014 8:09 PM, Nick Edwards wrote: >> On 6/11/14, Jost Krieger <jost.krieger+dove...@rub.de> wrote: >>> On Wed Jun 11 12:03:24 2014, Reindl Harald wrote: >>> >>>> Cisco routers by default mangle DNS traffic, break zone transfers >>>> or even put befor all CNAME blocks a $TTL 0 line never appeared >>>> on the master until you disable DNS ALG for UDP and TCP >>> >>> I believe that Cisco equipment will do such things, but I doubt it's the >>> routers. Unless you plug a firewall card in. >> >> I think he means junk like PIX, I've never seen a 7200, 7300, 10K, or >> any ASR do that. > > Actually you're both incorrect - this isn't a PIX/ASA specific thing and it > does work that way on IOS routers in > certain configurations. A Cisco IOS router (800/1800/1900 etc) running > recent code will do this if you have a PAT > rule translating port 53 from outside to inside. > > This isn't a configuration that is that common, and it is annoying when you > run into it, but it's not something you > can have happen "by accident" since you have to specifically configure port > 53 to be NATted in to observe this > behaviour. It's also easy to turn off (TBH I don't know why it's not off by > default, but that's a separate matter). > > It doesn't impact normal outbound/dynamic NAT which is what most people use. > > I haven't tried 1:1 static NATs so can't verify if it works that way in that > situation, though
we are running 1:1 static NAT and it is enabled by default in that situation that's what i am talking the whole time, nobody does single port-forwardings in a server environment and *yes* you can have happen this "by accident" simply by have non Cisco hardware before with the same 1:1 NAT and then get a Cisco device due switch from bundeled DSL lines to glasfiber
signature.asc
Description: OpenPGP digital signature
